View Full Version : storage protector and others?
ariesjmk
2008-01-31, 14:47
My apologies for last thread with attachment. couldnt get it to paste on my computer. Here it is correctly done.
Started with a balloon telling me zone alarm wasnt working properly and click to fix. I did. I now have 'windows update' and 'help & support ' icons on my desktop from storage protector which i cannot get rid of. Since then i think i have had a variety of problems, windows popping up, very slow computer, crashing, win32 , virtumonde and i dont even know what else. I have since installed spy sweeper as recommended at PC world. It took 4 installation attempts for it to work as the infection disables it. Ithink it is ok now but not resolving any of my problems. I have difficulty running avast and spy sweeper as they take hours (if im lucky)or 'windows' is closed down because it is 'unstable' according to the message. Please help. I have tried everything i am capable of doing and am desperate.
Have attached HJT file. Kaspersky is too large.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:17:53, on 30/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [WebrootDesktopFirewall] "C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe" -t
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.asda-photo.co.uk/wpp/asda/app/opcuploader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by135fd.bay135.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: cfblcwkd - cfblcwkd.dll (file missing)
O20 - Winlogon Notify: mfbcnhoy - mfbcnhoy.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 6372 bytes
little eagle
2008-02-04, 05:15
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
ariesjmk
2008-02-04, 21:42
ComboFix 08-02.03.1 - Jackie 2008-02-04 19:07:30.1 - NTFSx86
Running from: C:\Documents and Settings\Jackie\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\anyone\Application Data\Hotbar\eskin\
C:\Documents and Settings\anyone\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\
C:\Documents and Settings\anyone\Application Data\Hotbar\v3.0\Hotbar\dynamic\ustat\
C:\Documents and Settings\anyone\Application Data\Hotbar\v3.0\Hotbar\static\2\
C:\Documents and Settings\All Users\Application Data\storageprotector
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\ac
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\em
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\oid
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\user
C:\Documents and Settings\Guest\Application Data\storageprotector
C:\Documents and Settings\Guest\Application Data\storageprotector\Logs\update.log
C:\Documents and Settings\Jackie\Application Data\storageprotector
C:\Documents and Settings\Jackie\Application Data\storageprotector\Logs\update.log
C:\Program Files\Common Files\StorageProtector
C:\Program Files\MyWay
C:\Redemption.ECF
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\system32\cfblcwkd.dllbox
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\SYSTEM32\ghmymdbe.ini
C:\WINDOWS\SYSTEM32\gjkkj.ini
C:\WINDOWS\SYSTEM32\gjkkj.ini2
C:\WINDOWS\system32\mfbcnhoy.dllbox
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\suxninkl.ini
C:\WINDOWS\system32\tuvttqr.dll
.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.
2008-01-30 21:16 . 2008-01-30 21:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 21:11 . 2008-01-29 21:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-29 21:11 . 2008-01-29 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-29 17:47 . 2008-01-29 17:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-01-28 21:58 . 2004-01-27 21:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-28 21:58 . 2004-01-27 21:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-01-28 20:59 . 2008-01-28 20:59 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-25 19:59 . 2008-01-25 19:59 2 --a------ C:\WINDOWS\msoffice.ini
2008-01-21 10:13 . 2008-02-04 18:48 3,361 --a------ C:\WINDOWS\SYSTEM32\wdf_dxs.dat
2008-01-21 09:42 . 2005-05-23 17:01 952,320 --a------ C:\WINDOWS\wdfInstall.dll
2008-01-21 09:42 . 2005-05-23 17:01 585,216 --a------ C:\WINDOWS\WRSetup.dll
2008-01-21 09:42 . 2005-03-22 16:57 184,320 --a------ C:\WINDOWS\WDFSCReg.dll
2008-01-21 09:42 . 2005-05-23 17:01 88,064 --a------ C:\WINDOWS\wdfWEL.dll
2008-01-21 09:42 . 2005-05-23 17:01 51,200 --a------ C:\WINDOWS\WDFLanguagePack.dll
2008-01-21 09:42 . 2005-01-31 11:46 45,056 --a------ C:\WINDOWS\wdfserv.dat
2008-01-21 09:42 . 2005-03-18 12:43 40,960 --a------ C:\WINDOWS\PWIWrapper.dll
2008-01-21 09:42 . 2005-02-09 15:59 24,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pwipf2.sys
2008-01-21 09:42 . 2005-02-09 22:07 1,888 --a------ C:\WINDOWS\SYSTEM32\WDF.mof
2008-01-21 09:11 . 2005-05-23 17:01 952,320 --a------ C:\WINDOWS\wdfInstall.dat
2008-01-21 09:11 . 2005-03-22 16:57 184,320 --a------ C:\WINDOWS\WDFSCReg.dat
2008-01-21 09:11 . 2005-01-31 11:46 45,056 --a------ C:\WINDOWS\wdfserv01.dat
2008-01-20 22:16 . 2008-01-21 09:42 71 --a------ C:\WINDOWS\SYSTEM32\wdf_aff.dat
2008-01-20 20:28 . 2008-01-22 22:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-20 20:24 . 2008-01-22 22:40 <DIR> d-------- C:\Program Files\Webroot
2008-01-20 20:24 . 2008-01-22 22:40 <DIR> d-------- C:\Documents and Settings\Jackie\Application Data\Webroot
2008-01-20 20:24 . 2006-07-07 16:41 117,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2008-01-20 20:24 . 2006-07-07 16:41 15,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2008-01-20 20:24 . 2006-07-07 16:41 13,824 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SSFS041A.sys
2008-01-20 20:23 . 2008-01-22 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-19 19:40 . 2006-07-07 16:41 14,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2008-01-18 22:05 . 2008-01-20 19:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-18 21:27 . 2008-01-18 22:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 21:27 . 2008-01-18 22:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-18 21:25 . 2008-01-19 10:46 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-18 20:36 . 2007-12-04 14:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-01-18 20:36 . 2007-12-04 14:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-01-18 20:36 . 2007-12-04 14:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-01-18 20:35 . 2008-01-18 20:35 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-18 20:35 . 2007-12-04 13:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-01-18 20:35 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2008-01-18 20:35 . 2007-12-04 12:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-01-18 20:35 . 2007-12-04 14:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-01-18 20:35 . 2007-12-04 14:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-01-18 17:46 . 2008-01-18 17:46 <DIR> d-------- C:\Documents and Settings\Jackie\.housecall6.6
2008-01-18 17:18 . 2008-01-18 17:18 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-18 17:18 . 2008-01-18 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-18 17:17 . 2008-01-18 17:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 16:37 . 2008-01-18 16:37 <DIR> d-------- C:\Program Files\CCleaner
2008-01-17 22:11 . 2008-01-17 22:11 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-01-17 21:19 . 2008-01-17 21:21 <DIR> d-------- C:\Program Files\MP3 Workshop
2008-01-17 20:19 . 2008-01-17 20:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\Samsung_USB_Drivers
2008-01-17 20:19 . 2008-01-17 20:19 <DIR> d-------- C:\Program Files\Samsung
2008-01-17 20:19 . 2005-08-28 20:51 766 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-01-11 17:07 . 2008-01-18 22:23 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray .exe
2008-01-11 17:07 . 2008-01-18 22:23 126,976 --a------ C:\WINDOWS\SYSTEM32\hkcmd .exe
2008-01-11 17:07 . 2008-01-18 21:12 28,672 --a------ C:\WINDOWS\SYSTEM32\DSentry .exe
2008-01-11 17:07 . 2008-01-17 22:43 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon .exe
2008-01-10 22:52 . 2008-01-29 18:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\edcA01
2008-01-10 22:52 . 2008-01-10 22:52 <DIR> d-------- C:\Temp\Ryuan1
2008-01-10 22:52 . 2008-01-10 22:52 <DIR> d-------- C:\Temp
2008-01-10 19:44 . 2008-01-10 19:44 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-10 19:41 . 2008-01-10 19:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-01-10 19:41 . 2008-01-10 19:42 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-20 18:04 --------- d-----w C:\Program Files\QuickTime
2008-01-20 15:24 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd3965.sys
2008-01-18 15:19 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-18 15:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-17 22:50 --------- d-----w C:\Program Files\Common Files\Adobe
2007-06-25 06:54 6,067,320 -c--a-w C:\Program Files\16. M.F.S.B. - K-Jee.mp3
.
<pre>
----a-w 180,269 2008-01-18 21:12:52 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 110,592 2008-01-18 22:24:01 C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w 133,016 2008-01-18 15:00:48 C:\Program Files\DAEMON Tools\daemon .exe
----a-w 204,800 2008-01-18 21:12:43 C:\Program Files\Dell\Media Experience\PCMService .exe
----a-w 262,144 2008-01-18 21:13:30 C:\Program Files\Jessops\Picture Suite\InsDetect .exe
----a-w 45,056 2008-01-18 21:12:47 C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor .exe
----a-w 919,016 2008-01-17 20:10:25 C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
----a-w 15,360 2008-01-17 22:43:14 C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w 28,672 2008-01-18 21:12:42 C:\WINDOWS\SYSTEM32\DSentry .exe
----a-w 126,976 2008-01-18 22:23:40 C:\WINDOWS\SYSTEM32\hkcmd .exe
----a-w 155,648 2008-01-18 22:23:35 C:\WINDOWS\SYSTEM32\igfxtray .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-07-07 17:02 3871744]
"WebrootDesktopFirewall"="C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe" [2005-05-23 17:01 1920000]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cfblcwkd]
cfblcwkd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mfbcnhoy]
mfbcnhoy.dll
R0 SSFS041A;Spy Sweeper File System Filer Driver: 041A;C:\WINDOWS\system32\Drivers\SSFS041A.SYS [2006-07-07 16:41]
R1 pwipf2;pwipf2;C:\WINDOWS\system32\drivers\pwipf2.sys [2005-02-09 15:59]
R3 CCCP106;CIF USB Camera (2110A);C:\WINDOWS\system32\DRIVERS\cccp106.sys [2003-04-09 10:17]
R3 WebrootDesktopFirewallDataService;Webroot Desktop Firewall Data Service;C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe [2005-05-23 17:01]
R3 WebrootFirewall;Webroot Desktop Firewall;C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe [2005-05-18 13:10]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 19:15:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.
**************************************************************************
.
Completion time: 2008-02-04 19:21:56 - machine was rebooted [Jackie]
ComboFix-quarantined-files.txt 2008-02-04 19:21:46
.
2008-01-11 17:37:29 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:34:41, on 04/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [WebrootDesktopFirewall] "C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe" -t
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.asda-photo.co.uk/wpp/asda/app/opcuploader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by135fd.bay135.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: cfblcwkd - cfblcwkd.dll (file missing)
O20 - Winlogon Notify: mfbcnhoy - mfbcnhoy.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 5952 bytes
little eagle
2008-02-05, 04:37
I cannot stress how important this is!!
Please read the instructions on how to install the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Then and only than go to the next step.
___________________________________________________________
Open notepad and copy/paste the text in the codebox below into it:
RenV::
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
C:\Program Files\DAEMON Tools\daemon .exe
C:\Program Files\Dell\Media Experience\PCMService .exe
C:\Program Files\Jessops\Picture Suite\InsDetect .exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor .exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
C:\WINDOWS\SYSTEM32\ctfmon .exe
C:\WINDOWS\SYSTEM32\DSentry .exe
C:\WINDOWS\SYSTEM32\hkcmd .exe
C:\WINDOWS\SYSTEM32\igfxtray .exe
Save this as Save this as "CFScript"
http://nutnworks.com/CFix/CFScript.gif
Refering to the picture above, drag CFScript.txt into ComboFix.exe
Then post the results log and a new HijackThis log.
ariesjmk
2008-02-05, 22:35
ComboFix 08-02.03.1 - Jackie 2008-02-05 20:07:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.75 [GMT 0:00]
Running from: C:\Documents and Settings\Jackie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jackie\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.
2008-02-05 19:14 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-05 19:14 . 2004-10-28 18:23 211 --a------ C:\Boot.bak
2008-01-30 21:16 . 2008-01-30 21:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 21:11 . 2008-01-29 21:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-29 21:11 . 2008-01-29 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-29 17:47 . 2008-01-29 17:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-01-28 21:58 . 2004-01-27 21:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-28 21:58 . 2004-01-27 21:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-01-28 20:59 . 2008-01-28 20:59 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-25 19:59 . 2008-01-25 19:59 2 --a------ C:\WINDOWS\msoffice.ini
2008-01-21 10:13 . 2008-02-05 20:06 3,500 --a------ C:\WINDOWS\SYSTEM32\wdf_dxs.dat
2008-01-21 09:42 . 2005-05-23 17:01 952,320 --a------ C:\WINDOWS\wdfInstall.dll
2008-01-21 09:42 . 2005-05-23 17:01 585,216 --a------ C:\WINDOWS\WRSetup.dll
2008-01-21 09:42 . 2005-03-22 16:57 184,320 --a------ C:\WINDOWS\WDFSCReg.dll
2008-01-21 09:42 . 2005-05-23 17:01 88,064 --a------ C:\WINDOWS\wdfWEL.dll
2008-01-21 09:42 . 2005-05-23 17:01 51,200 --a------ C:\WINDOWS\WDFLanguagePack.dll
2008-01-21 09:42 . 2005-01-31 11:46 45,056 --a------ C:\WINDOWS\wdfserv.dat
2008-01-21 09:42 . 2005-03-18 12:43 40,960 --a------ C:\WINDOWS\PWIWrapper.dll
2008-01-21 09:42 . 2005-02-09 15:59 24,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pwipf2.sys
2008-01-21 09:42 . 2005-02-09 22:07 1,888 --a------ C:\WINDOWS\SYSTEM32\WDF.mof
2008-01-21 09:11 . 2005-05-23 17:01 952,320 --a------ C:\WINDOWS\wdfInstall.dat
2008-01-21 09:11 . 2005-03-22 16:57 184,320 --a------ C:\WINDOWS\WDFSCReg.dat
2008-01-21 09:11 . 2005-01-31 11:46 45,056 --a------ C:\WINDOWS\wdfserv01.dat
2008-01-20 22:16 . 2008-01-21 09:42 71 --a------ C:\WINDOWS\SYSTEM32\wdf_aff.dat
2008-01-20 20:28 . 2008-01-22 22:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-20 20:24 . 2008-01-22 22:40 <DIR> d-------- C:\Program Files\Webroot
2008-01-20 20:24 . 2008-01-22 22:40 <DIR> d-------- C:\Documents and Settings\Jackie\Application Data\Webroot
2008-01-20 20:24 . 2006-07-07 16:41 117,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2008-01-20 20:24 . 2006-07-07 16:41 15,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2008-01-20 20:24 . 2006-07-07 16:41 13,824 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SSFS041A.sys
2008-01-20 20:23 . 2008-01-22 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-19 19:40 . 2006-07-07 16:41 14,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2008-01-18 22:05 . 2008-01-20 19:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-18 21:27 . 2008-01-18 22:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 21:27 . 2008-01-18 22:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-18 21:25 . 2008-01-19 10:46 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-18 20:36 . 2007-12-04 14:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-01-18 20:36 . 2007-12-04 14:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-01-18 20:36 . 2007-12-04 14:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-01-18 20:35 . 2008-01-18 20:35 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-18 20:35 . 2007-12-04 13:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-01-18 20:35 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2008-01-18 20:35 . 2007-12-04 12:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-01-18 20:35 . 2007-12-04 14:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-01-18 20:35 . 2007-12-04 14:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-01-18 17:46 . 2008-01-18 17:46 <DIR> d-------- C:\Documents and Settings\Jackie\.housecall6.6
2008-01-18 17:18 . 2008-01-18 17:18 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-18 17:18 . 2008-01-18 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-18 17:17 . 2008-01-18 17:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 16:37 . 2008-01-18 16:37 <DIR> d-------- C:\Program Files\CCleaner
2008-01-17 22:11 . 2008-01-17 22:11 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-01-17 21:19 . 2008-01-17 21:21 <DIR> d-------- C:\Program Files\MP3 Workshop
2008-01-17 20:19 . 2008-01-17 20:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\Samsung_USB_Drivers
2008-01-17 20:19 . 2008-01-17 20:19 <DIR> d-------- C:\Program Files\Samsung
2008-01-17 20:19 . 2005-08-28 20:51 766 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-01-11 17:07 . 2008-01-18 22:23 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-01-11 17:07 . 2008-01-18 22:23 126,976 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2008-01-11 17:07 . 2008-01-18 21:12 28,672 --a------ C:\WINDOWS\SYSTEM32\DSentry.exe
2008-01-10 22:52 . 2008-01-29 18:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\edcA01
2008-01-10 22:52 . 2008-01-10 22:52 <DIR> d-------- C:\Temp\Ryuan1
2008-01-10 22:52 . 2008-01-10 22:52 <DIR> d-------- C:\Temp
2008-01-10 19:44 . 2008-01-10 19:44 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-10 19:41 . 2008-01-10 19:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-01-10 19:41 . 2008-01-10 19:42 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 20:07 --------- d-----w C:\Program Files\DAEMON Tools
2008-02-03 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-20 18:04 --------- d-----w C:\Program Files\QuickTime
2008-01-20 15:24 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd3965.sys
2008-01-18 15:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-17 22:50 --------- d-----w C:\Program Files\Common Files\Adobe
2007-06-25 06:54 6,067,320 -c--a-w C:\Program Files\16. M.F.S.B. - K-Jee.mp3
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-07-07 17:02 3871744]
"WebrootDesktopFirewall"="C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe" [2005-05-23 17:01 1920000]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cfblcwkd]
cfblcwkd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mfbcnhoy]
mfbcnhoy.dll
R0 SSFS041A;Spy Sweeper File System Filer Driver: 041A;C:\WINDOWS\system32\Drivers\SSFS041A.SYS [2006-07-07 16:41]
R1 pwipf2;pwipf2;C:\WINDOWS\system32\drivers\pwipf2.sys [2005-02-09 15:59]
R3 CCCP106;CIF USB Camera (2110A);C:\WINDOWS\system32\DRIVERS\cccp106.sys [2003-04-09 10:17]
R3 WebrootDesktopFirewallDataService;Webroot Desktop Firewall Data Service;C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe [2005-05-23 17:01]
R3 WebrootFirewall;Webroot Desktop Firewall;C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe [2005-05-18 13:10]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 20:16:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.
**************************************************************************
.
Completion time: 2008-02-05 20:25:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 20:24:59
ComboFix2.txt 2008-02-04 19:21:58
.
2008-01-11 17:37:29 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:29:24, on 05/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [WebrootDesktopFirewall] "C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe" -t
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.asda-photo.co.uk/wpp/asda/app/opcuploader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by135fd.bay135.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: cfblcwkd - cfblcwkd.dll (file missing)
O20 - Winlogon Notify: mfbcnhoy - mfbcnhoy.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 6064 bytes
little eagle
2008-02-05, 22:58
Rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.
ariesjmk
2008-02-05, 23:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:25:58, on 05/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [WebrootDesktopFirewall] "C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe" -t
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.asda-photo.co.uk/wpp/asda/app/opcuploader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by135fd.bay135.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: cfblcwkd - cfblcwkd.dll (file missing)
O20 - Winlogon Notify: mfbcnhoy - mfbcnhoy.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 6031 bytes
The computer is working much better at the moment. I have had no pop-ups for a few days and it doesnt seem to freeze as much. I have still been trying to run avast regularly and spybot each start up, and i have quite a few things in quarantine. When i ran the kasperski scan it showed a lot of things locked which i assumed was the quarantine stuff. Also on the scan it showed win32 agent, zapchast,winfixer,virtumonde,purity scan, most of which i have seen on various scans. I have noticed that something is trying access the internet through explorer, which i do no use, i use mozilla firefox for internet access, so have denied access. I am sorry for my lack of technical knowledge, i can really only say what i am seeing and what it is doing.
little eagle
2008-02-05, 23:50
Close all programs leaving only HijackThis running. Place a check against each of the following,
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O20 - Winlogon Notify: cfblcwkd - cfblcwkd.dll (file missing)
O20 - Winlogon Notify: mfbcnhoy - mfbcnhoy.dll (file missing)
Click on Fix Checked when finished and exit HijackThis.
------------------------------
One of the best features of Windows XP is the System Restore option, however if a virus or spyware infection.
There can be backups made in the System Restore folder.
Therefore, clearing the restore points is necessary after a virus or spyware removal.
To reset your restore points, please note that you will need to log into your computer with an account
which has full administrator access. You will know if the account has administrator access because
you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
ariesjmk
2008-02-06, 00:14
I have done as requested. Does this mean it is all ok now?
little eagle
2008-02-06, 01:29
Rescan with HiJackThis and post a new log here.
Yes things do look fine just want to see a new log before this thread is closed.
How is the PC running now?
ariesjmk
2008-02-07, 21:57
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:29:14, on 07/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [WebrootDesktopFirewall] "C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe" -t
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.asda-photo.co.uk/wpp/asda/app/opcuploader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by135fd.bay135.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 5483 bytes
The computer today is running very slowly, could be just a busy time but it seems worse than i remember. I told you about stuff in quarantine. Do i just leave all that where it is?I think the bar across the bottom where the start is looks different to what is was like before the problems but cant be sure. Has rows of double dots next to start then either side of where it says desktop, but things may have changed because of installing the spysweeper.
little eagle
2008-02-08, 05:06
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Let me know if that helps.
ariesjmk
2008-02-10, 18:12
Everything seems to be running ok. So i would like to thank you so much for your time and expertise for fixing my computer for me. I was so much out of my depth and thought that was the end of the computer. So thank you very, very much for helping me.
little eagle
2008-02-11, 04:58
Glad we could help :cool:
Some tips to keep you clean. (http://www.nutnworks.com/forums/showthread.php?t=98)