View Full Version : Spyware.Possible_Website_Hijack
jeff1955
2009-06-11, 11:04
I updated my Spyware Doctor with Antivirus software to version 6.0.1.441 and ran a full scan. 2 infections of the Spyware.Possible_Website_Hijack malware were reported but Spyware Doctor also reported that it was unable to clean these infections. I scanned with Spybot and it reported my system was clean.
I have recently, due to a failed Hard Drive, had a clean install of Windows XP and since then have installed very little. The system worked just fine until about a week ago. Even now the system boots very quickly. The problems then begin - COMODO reports a lot of outbound activity, and for at least 5 minutes after boot up programs I try to load either crash or run very slowly, stuttering, often freezing. This is especially true for updaters for software such as Spybot and Spyware Doctor. Many times I have had to turn off the computer and then reboot in order to get it working again.
I have read around this topic before posting to you - it seems there is a little confusion about this infection report from Spyware Doctor. I wouldn't post at all but for this sluggishness, stuttering and freezing I am now getting.
Thanks in advance for any help you can give
Jeff Simpson
HiJackThis log posted below;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:39:43, on 11/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;2
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
--
End of file - 5531 bytes
Dakeyras
2009-06-13, 11:57
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hi jeff1955 :)
I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:
I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Security Application Check:
Please download and save SecurityCheck.exe to your Desktop from one of the links below.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt
Please post the contents of that document in your next reply.
Next:
Please download Rooter.exe (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Feric.71.mespages.googlepages.com%2FRooter.exe) to your desktop.
Then double-click Rooter.exe it to start the tool.
A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here.
Next:
We need to carry out a more indepth research of you system as follows:
Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Make sure that RSIT.exe is on the your Desktop before running the application!
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
When completed the above, please post back the following:
Inform myself how your computer is running. Any problems encountered and or further symptoms?
checkup.txt
Rooter.txt
Both RSIT Logs. <-- Post them individually please. IE: one Log per post/reply.
jeff1955
2009-06-13, 15:41
Hi Dakeyras,
Thanks for the reply. My machine is behaving as described in my first post. No new symptoms. The logs as requested follow (Pasted)
Security Check Log;
Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````
Windows Firewall Disabled!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````
Spyware Doctor 6.0
Spybot - Search & Destroy
HijackThis 2.0.2
Java(TM) 6 Update 13
Out of date Java installed!
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
Spybot SDHelper is disabled!
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````
GREAT! (Very random)
Scan took 3601 seconds.
`````````End of Log```````````
Rooter Log;
Rooter.exe (v1.0) by Eric_71
¨
Microsoft Windows XP Home Edition (5.1.2600) Service Pack 3
32_bits - x86 Family 6 Model 8 Stepping 1, AuthenticAMD
¨
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:157057 Mo - Free:112234 Mo )
D:\ [CD_Rom]
E:\ [CD_Rom]
W:\ [Removable]
X:\ [Removable]
Y:\ [Removable]
Z:\ [Removable]
¨
Scan : 13:25.08
Path : C:\Documents and Settings\J Simpson\Desktop\Rooter.exe
User : J Simpson ( Administrator -> YES )
¨
----------------------\\ Processes
¨
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (612)
______ \??\C:\WINDOWS\system32\csrss.exe (660)
______ \??\C:\WINDOWS\system32\winlogon.exe (684)
______ C:\WINDOWS\system32\services.exe (732)
______ C:\WINDOWS\system32\lsass.exe (744)
______ C:\WINDOWS\system32\svchost.exe (908)
______ C:\WINDOWS\system32\svchost.exe (1016)
Locked cmdagent.exe (1136)
______ C:\WINDOWS\system32\svchost.exe (1168)
______ C:\WINDOWS\system32\svchost.exe (1372)
______ C:\WINDOWS\system32\svchost.exe (1572)
______ C:\WINDOWS\Explorer.EXE (1716)
______ C:\WINDOWS\system32\LEXBCES.EXE (1732)
______ C:\WINDOWS\system32\LEXPPS.EXE (1772)
______ C:\WINDOWS\system32\spoolsv.exe (1784)
Locked cfp.exe (276)
______ C:\Program Files\Java\jre6\bin\jqs.exe (604)
______ C:\WINDOWS\system32\nvsvc32.exe (648)
______ C:\WINDOWS\system32\svchost.exe (916)
______ C:\WINDOWS\System32\alg.exe (412)
______ C:\WINDOWS\System32\svchost.exe (2172)
______ C:\Program Files\Internet Explorer\iexplore.exe (1636)
______ C:\Program Files\Spyware Doctor\pctsAuxs.exe (2564)
______ C:\Program Files\Spyware Doctor\pctsSvc.exe (3524)
______ C:\Program Files\Spyware Doctor\pctsTray.exe (3684)
______ C:\Program Files\Spyware Doctor\TFEngine\TFService.exe (316)
______ C:\Documents and Settings\J Simpson\Desktop\Rooter.exe (3288)
¨
----------------------\\ Device\Harddisk0\
¨
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
¨
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:164686523904)
¨
----------------------\\ Scheduled Tasks
¨
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
¨
----------------------\\ Registry
¨
¨
----------------------\\ Files & Folders
¨
----------------------\\ Scan completed at 13:27.30
¨
C:\Rooter$\Rooter_2.txt - (13/06/2009 | 13:27.30)
I hope I have read the end of your reply properly - I will post the RSIT results separately in two new replies one per log - if I have misread/misunderstood this please accept my apologies.
Jeff
jeff1955
2009-06-13, 15:43
RSIT Log.txt
Logfile of random's system information tool 1.06 (written by random/random)
Run by J Simpson at 2009-06-13 13:28:38
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 112 GB (71%) free of 157 GB
Total RAM: 1023 MB (61% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:29:38, on 13/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Documents and Settings\J Simpson\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\J Simpson.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;2
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
--
End of file - 5584 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-06-02 1082880]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2004-10-29 4620288]
"COMODO Internet Security"=C:\Program Files\COMODO\COMODO Internet Security\cfp.exe [2009-03-19 1851128]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-12-08 1173384]
C:\Documents and Settings\J Simpson\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Microsoft Games\Links 2003\LinksMMIII.exe"="C:\Program Files\Microsoft Games\Links 2003\LinksMMIII.exe:*:Enabled:Links 2003"
"C:\Documents and Settings\J Simpson\Local Settings\Temp\Blizzard Launcher Temporary - d3227210\Launcher.exe"="C:\Documents and Settings\J Simpson\Local Settings\Temp\Blizzard Launcher Temporary - d3227210\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Documents and Settings\J Simpson\Local Settings\Temp\Blizzard Launcher Temporary - 1eda8f40\Launcher.exe"="C:\Documents and Settings\J Simpson\Local Settings\Temp\Blizzard Launcher Temporary - 1eda8f40\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\dwyco2\cdc32.exe"="C:\Program Files\dwyco2\cdc32.exe:*:Enabled:dwyco cdc32 for Windows95/98/ME/NT4/2K/XP"
"C:\Program Files\World of Warcraft\Launcher.exe"="C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe"="C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Curse\CurseClient.exe"="C:\Program Files\Curse\CurseClient.exe:*:Enabled:Curse Client"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
======List of files/folders created in the last 1 months======
2009-06-13 13:28:38 ----D---- C:\rsit
2009-06-13 13:24:15 ----D---- C:\Rooter$
2009-06-11 08:38:26 ----D---- C:\Program Files\Trend Micro
2009-06-11 08:34:22 ----D---- C:\WINDOWS\ERDNT
2009-06-11 08:32:22 ----D---- C:\Program Files\ERUNT
2009-06-09 20:20:38 ----D---- C:\Documents and Settings\J Simpson\Application Data\skypePM
2009-06-09 20:19:36 ----D---- C:\Documents and Settings\J Simpson\Application Data\Skype
2009-06-09 20:19:13 ----D---- C:\Program Files\Common Files\Skype
2009-06-09 20:19:10 ----RD---- C:\Program Files\Skype
2009-06-09 20:19:04 ----D---- C:\Documents and Settings\All Users\Application Data\Skype
2009-05-31 11:17:24 ----D---- C:\Documents and Settings\J Simpson\Application Data\Help
2009-05-31 10:39:10 ----A---- C:\WINDOWS\system32\msrd2x35.dll
2009-05-31 10:39:10 ----A---- C:\WINDOWS\system32\msjet35.dll
2009-05-31 10:39:09 ----A---- C:\WINDOWS\system32\odbctl32.dll
2009-05-31 10:39:09 ----A---- C:\WINDOWS\system32\Msrepl35.dll
2009-05-31 10:39:09 ----A---- C:\WINDOWS\system32\msjter35.dll
2009-05-31 10:39:09 ----A---- C:\WINDOWS\system32\msjint35.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixthk32.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixthk16.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixpnr.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixpermn.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixperm.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixpcz.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixlocn.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixloc.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixdfltn.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixdflt.dll
2009-05-31 10:39:07 ----A---- C:\WINDOWS\system32\Vb5db.dll
2009-05-31 10:39:07 ----A---- C:\WINDOWS\system32\Setbrows.exe
2009-05-31 10:39:07 ----A---- C:\WINDOWS\system32\Inetwh32.dll
2009-05-31 10:39:07 ----A---- C:\WINDOWS\system32\dao350.dll
2009-05-31 10:39:03 ----D---- C:\Program Files\TextBridge Pro 9.0
2009-05-31 10:37:48 ----D---- C:\Documents and Settings\All Users\Application Data\ScanSoft
2009-05-31 10:37:10 ----A---- C:\wialog.txt
2009-05-31 10:36:58 ----A---- C:\WINDOWS\system32\wiafbdrv.dll
2009-05-31 10:36:04 ----A---- C:\WINDOWS\logfile.txt
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\vizMicro.dll
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\Ltwvc13n.dll
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\Ltkrn13n.dll
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\Ltimg13n.dll
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\Ltfil13n.dll
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\Ltefx13n.dll
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\LTDIS13n.dll
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\LFCMP13n.DLL
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\Lfbmp13n.dll
2009-05-31 10:36:03 ----A---- C:\WINDOWS\Ltwvc11n.dll
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\Ltkrn11n.dll
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\Ltimg11n.dll
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\Ltfil11n.dll
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\ltefx11n.dll
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\LTDIS11n.dll
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\lftif11n.dll
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\Lffax11n.dll
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\LFCMP11n.DLL
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\Lfbmp11n.dll
2009-05-31 10:36:00 ----D---- C:\Program Files\Xerox One Touch
2009-05-31 10:32:45 ----A---- C:\WINDOWS\maxlink.ini
2009-05-31 10:32:23 ----D---- C:\Program Files\Scansoft
2009-05-31 10:32:23 ----D---- C:\Program Files\Common Files\scansoft shared
2009-05-31 10:26:00 ----A---- C:\WINDOWS\fe.INI
2009-05-31 10:25:56 ----A---- C:\WINDOWS\IHelper.exe
======List of files/folders modified in the last 1 months======
2009-06-13 13:29:17 ----D---- C:\WINDOWS\Prefetch
2009-06-13 13:19:06 ----D---- C:\WINDOWS\Temp
2009-06-13 13:18:05 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-06-13 13:17:48 ----D---- C:\Program Files\Spyware Doctor
2009-06-13 07:21:42 ----D---- C:\WINDOWS\system32\CatRoot2
2009-06-12 20:14:27 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-06-11 08:38:26 ----RD---- C:\Program Files
2009-06-11 08:34:22 ----D---- C:\WINDOWS
2009-06-10 16:20:58 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-06-10 15:33:44 ----SHD---- C:\WINDOWS\Installer
2009-06-10 15:32:42 ----D---- C:\WINDOWS\system32\drivers
2009-06-10 15:32:42 ----D---- C:\Program Files\Common Files\PC Tools
2009-06-09 20:45:02 ----D---- C:\Program Files\World of Warcraft
2009-06-09 20:20:39 ----D---- C:\WINDOWS\system32
2009-06-09 20:19:13 ----D---- C:\Program Files\Common Files
2009-05-31 17:55:03 ----A---- C:\WINDOWS\LEXSTAT.INI
2009-05-31 16:43:34 ----A---- C:\WINDOWS\win.ini
2009-05-31 11:13:51 ----D---- C:\Documents and Settings\J Simpson\Application Data\Serif
2009-05-31 11:12:13 ----D---- C:\Program Files\Serif
2009-05-31 11:08:29 ----D---- C:\WINDOWS\Help
2009-05-31 10:36:55 ----HD---- C:\WINDOWS\inf
2009-05-31 10:36:05 ----D---- C:\WINDOWS\twain_32
2009-05-31 10:36:03 ----D---- C:\WINDOWS\Driver Cache
2009-05-31 10:32:36 ----D---- C:\WINDOWS\system
2009-05-31 10:31:55 ----D---- C:\Program Files\Common Files\InstallShield
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 cmdGuard;COMODO Internet Security Sandbox Driver; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [2009-03-19 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver; C:\WINDOWS\System32\DRIVERS\cmdhlp.sys [2009-03-19 24336]
R1 pctgntdi;pctgntdi; \??\C:\WINDOWS\system32\drivers\pctgntdi.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2006-02-28 12032]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 StreamDispatcher;StreamDispatcher; C:\WINDOWS\system32\DRIVERS\strmdisp.sys [2003-05-21 30592]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2008-09-24 4122368]
R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-10-29 2826944]
R3 pctplsg;pctplsg; \??\C:\WINDOWS\system32\drivers\pctplsg.sys []
R3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-05-21 1063040]
S3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-05-21 196352]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 phil2vid;Philips USB VGA Camera; C:\WINDOWS\system32\DRIVERS\philcam2.sys [2001-08-17 173696]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-05-21 631296]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 cmdAgent;COMODO Internet Security Helper Service; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [2009-03-19 700152]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2003-02-25 303104]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2004-10-29 127043]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-01-21 1095560]
R3 ThreatFire;ThreatFire; C:\Program Files\Spyware Doctor\TFEngine\TFService.exe [2009-03-31 70944]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 getPlus(R) Helper;getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------
jeff1955
2009-06-13, 15:44
RSIT Info.txt
info.txt logfile of random's system information tool 1.06 2009-06-13 13:29:42
======Uninstall list======
-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNNMP.exe /UNINSTALL
-->MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->MsiExec.exe /X{287ECFA4-719A-2143-A09B-D6A12DE54E40}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
BT Home Hub-->C:\Program Files.\BTHomeHub.\Uninstall.exe
COMODO Internet Security-->C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe -u
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Curse Client-->C:\Program Files\Curse\uninstall.exe
Dwyco Video Conferencing-->"c:\program files\dwyco2\unins000.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
getPlus(R) for Adobe-->"C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Lexmark Z600 Series-->C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBCUN5C.EXE -dLexmark Z600 Series
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Links 2003-->"C:\Program Files\Microsoft Games\Links 2003\UNINSTAL.EXE" /runtemp /addremove
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Media Content-->MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Professional-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Nero Suite-->C:\Program Files\Common Files\Ahead\Uninstall\Setup.exe /uninstall
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PaperPort 8.0 SE-->MsiExec.exe /I{AEF2D1F3-0696-11D5-8E6A-00C04F7FA234}
Philips Vesta Camera WebUpdate-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Philips Vesta Camera\VestaWeb.isu"
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Serif DrawPlus X2 Resources-->MsiExec.exe /I{946383CC-B47D-4817-A4D9-03F4E76A9003}
Serif DrawPlus X2-->MsiExec.exe /I{4D9DD45B-E79A-4F04-898E-B2C3769AB729}
Serif PagePlus 11 Resources-->MsiExec.exe /I{C9A391A7-E3C0-45B3-9A8E-1D878C9A3997}
Serif PagePlus 11-->MsiExec.exe /I{0B884C9B-5D85-4461-88EE-826E1BB33008}
Serif PagePlus X3 Resources-->MsiExec.exe /I{D0F1732F-DE2D-4A6D-BE19-2D6CF784356C}
Serif PagePlus X3-->MsiExec.exe /I{596DA8A2-C576-46F5-A92E-8C9CCECE4E9D}
Serif PhotoPlus 10-->MsiExec.exe /I{30EB024E-9FD0-45E6-849D-30CC6F1AF2F1}
Serif WebPlus X2 Resources-->MsiExec.exe /I{05BC428A-F2A5-4E11-8130-10C3237FD67B}
Serif WebPlus X2-->MsiExec.exe /I{8829E394-87E1-41C0-BCED-9B47F7C6DCDD}
Skype™ 4.0-->MsiExec.exe /X{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spyware Doctor 6.0-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
TextBridge Pro 9.0-->C:\Program Files\TextBridge Pro 9.0\Bin\Setup.exe -y -f"C:\Program Files\TextBridge Pro 9.0\Bin\Uninst.ins"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
World of Warcraft-->C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
Xerox One Touch-->C:\PROGRA~1\XEROXO~1\UNWISE.EXE C:\PROGRA~1\XEROXO~1\INSTALL.LOG
======Hosts File======
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
======Security center information======
AV: Spyware Doctor with AntiVirus
FW: COMODO Firewall
======System event log======
Computer Name: JEFF-PC
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
Record Number: 358
Source Name: W32Time
Time Written: 20090330203153.000000+060
Event Type: warning
User:
Computer Name: JEFF-PC
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
Record Number: 283
Source Name: W32Time
Time Written: 20090327204729.000000+000
Event Type: warning
User:
Computer Name: JEFF-PC
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
Record Number: 258
Source Name: W32Time
Time Written: 20090326201050.000000+000
Event Type: warning
User:
Computer Name: JEFF-PC
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
Record Number: 233
Source Name: W32Time
Time Written: 20090325203445.000000+000
Event Type: warning
User:
Computer Name: JEFF-PC
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
Record Number: 124
Source Name: W32Time
Time Written: 20090323203344.000000+000
Event Type: warning
User:
=====Application event log=====
Computer Name: JEFF-PC
Event Code: 62
Message: WMI ADAP was unable to process the .NET CLR Data performance library since one of the data blobs reported to have classes but had zero size
Record Number: 48
Source Name: WinMgmt
Time Written: 20090131152004.000000+000
Event Type: warning
User:
Computer Name: JEFF-PC
Event Code: 1020
Message: Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.
Record Number: 42
Source Name: ASP.NET 1.1.4322.0
Time Written: 20090131151845.000000+000
Event Type: warning
User:
Computer Name: JEFF-PC
Event Code: 1517
Message: Windows saved user JEFF-PC\J Simpson registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
Record Number: 33
Source Name: Userenv
Time Written: 20090131144909.000000+000
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: JEFF-PC
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Record Number: 32
Source Name: WinMgmt
Time Written: 20090131144111.000000+000
Event Type: warning
User: JEFF-PC\J Simpson
Computer Name: JEFF-PC
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Record Number: 11
Source Name: WinMgmt
Time Written: 20090131140101.000000+000
Event Type: warning
User: NT AUTHORITY\SYSTEM
=====Security event log=====
Computer Name: JEFF-PC
Event Code: 528
Message: Successful Logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: -
Record Number: 7525
Source Name: Security
Time Written: 20090426161659.000000+060
Event Type: audit success
User: NT AUTHORITY\LOCAL SERVICE
Computer Name: JEFF-PC
Event Code: 576
Message: Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0xFA90)
Privileges: SeChangeNotifyPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
Record Number: 7524
Source Name: Security
Time Written: 20090426161659.000000+060
Event Type: audit success
User: JEFF-PC\J Simpson
Computer Name: JEFF-PC
Event Code: 528
Message: Successful Logon:
User Name: J Simpson
Domain: JEFF-PC
Logon ID: (0x0,0xFA90)
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: JEFF-PC
Logon GUID: -
Record Number: 7523
Source Name: Security
Time Written: 20090426161659.000000+060
Event Type: audit success
User: JEFF-PC\J Simpson
Computer Name: JEFF-PC
Event Code: 680
Message: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: J Simpson
Source Workstation: JEFF-PC
Error Code: 0x0
Record Number: 7522
Source Name: Security
Time Written: 20090426161659.000000+060
Event Type: audit success
User: NT AUTHORITY\SYSTEM
Computer Name: JEFF-PC
Event Code: 538
Message: User Logoff:
User Name: J Simpson
Domain: JEFF-PC
Logon ID: (0x0,0xF9F7)
Logon Type: 2
Record Number: 7521
Source Name: Security
Time Written: 20090426161659.000000+060
Event Type: audit success
User: JEFF-PC\J Simpson
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
"PROCESSOR_REVISION"=0801
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
-----------------EOF-----------------
Dakeyras
2009-06-13, 21:17
Hi :)
Thanks for the reply. My machine is behaving as described in my first post. No new symptoms.You're welcome and thanks for the update.
Please except my apology, Rooter has been updated since yesterday with new features but thankfully your good self worked out to click on Scan :bigthumb:
Next:
We need to restore the SeDebugPrivilege on your machine as follows:
Please download SeDebug-Restore (http://download.bleepingcomputer.com/sUBs/SeDebug-Restore.exe) to your desktop.
Next double click to run the small application.
TFC(Temp File Cleaner):
Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.
Next:
Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) to your desktop.
Double-click mbam-setup.exe and select then follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please post that log in your next reply.
The log can also be found here:
Launch Malwarebytes' Anti-Malware
Click on the Logs radio tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Next:
Please make sure that RSIT.exe is still on the Desktop.(if not inform myself straight away please)
Double click once on RSIT.exe
RSIT will start running, at the disclaimer click on Continue.
When done, 1 log will be produced.
Post that in your next reply.
When completed the above, please post back the following in the order asked for:
How is you computer performing now, any other symptoms and or problems encountered?
Malwarebytes' Anti-Malware Log.
A new RSIT logs.
jeff1955
2009-06-14, 08:26
Hi Dakeyras,
My PC is still sluggish and stuttering and is hanging on programs during the first 5 - 10 minutes after boot up. Installing the Malwarebytes prog took two attempts as the PC crashed during the process.
For the first time, on re-booting after the Malwarebytes scan, the computer reported that my Auto-update was switched off. Logs as requested below;
Malwarebytes Log
Malwarebytes' Anti-Malware 1.37
Database version: 2273
Windows 5.1.2600 Service Pack 3
14/06/2009 06:12:54
mbam-log-2009-06-14 (06-12-54).txt
Scan type: Quick Scan
Objects scanned: 80530
Time elapsed: 3 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
RSIT log
Logfile of random's system information tool 1.06 (written by random/random)
Run by J Simpson at 2009-06-14 06:20:42
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 112 GB (71%) free of 157 GB
Total RAM: 1023 MB (60% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:21:03, on 14/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\J Simpson\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\J Simpson.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;2
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
--
End of file - 5650 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-06-02 1082880]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2004-10-29 4620288]
"COMODO Internet Security"=C:\Program Files\COMODO\COMODO Internet Security\cfp.exe [2009-03-19 1851128]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-12-08 1173384]
C:\Documents and Settings\J Simpson\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Microsoft Games\Links 2003\LinksMMIII.exe"="C:\Program Files\Microsoft Games\Links 2003\LinksMMIII.exe:*:Enabled:Links 2003"
"C:\Documents and Settings\J Simpson\Local Settings\Temp\Blizzard Launcher Temporary - d3227210\Launcher.exe"="C:\Documents and Settings\J Simpson\Local Settings\Temp\Blizzard Launcher Temporary - d3227210\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Documents and Settings\J Simpson\Local Settings\Temp\Blizzard Launcher Temporary - 1eda8f40\Launcher.exe"="C:\Documents and Settings\J Simpson\Local Settings\Temp\Blizzard Launcher Temporary - 1eda8f40\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\dwyco2\cdc32.exe"="C:\Program Files\dwyco2\cdc32.exe:*:Enabled:dwyco cdc32 for Windows95/98/ME/NT4/2K/XP"
"C:\Program Files\World of Warcraft\Launcher.exe"="C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe"="C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Curse\CurseClient.exe"="C:\Program Files\Curse\CurseClient.exe:*:Enabled:Curse Client"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
======List of files/folders created in the last 1 months======
2009-06-13 21:26:41 ----D---- C:\Documents and Settings\J Simpson\Application Data\Malwarebytes
2009-06-13 21:25:18 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-06-13 21:25:18 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-06-13 13:28:38 ----D---- C:\rsit
2009-06-13 13:24:15 ----D---- C:\Rooter$
2009-06-11 08:38:26 ----D---- C:\Program Files\Trend Micro
2009-06-11 08:34:22 ----D---- C:\WINDOWS\ERDNT
2009-06-11 08:32:22 ----D---- C:\Program Files\ERUNT
2009-06-09 20:20:38 ----D---- C:\Documents and Settings\J Simpson\Application Data\skypePM
2009-06-09 20:19:36 ----D---- C:\Documents and Settings\J Simpson\Application Data\Skype
2009-06-09 20:19:13 ----D---- C:\Program Files\Common Files\Skype
2009-06-09 20:19:10 ----RD---- C:\Program Files\Skype
2009-06-09 20:19:04 ----D---- C:\Documents and Settings\All Users\Application Data\Skype
2009-05-31 11:17:24 ----D---- C:\Documents and Settings\J Simpson\Application Data\Help
2009-05-31 10:39:10 ----A---- C:\WINDOWS\system32\msrd2x35.dll
2009-05-31 10:39:10 ----A---- C:\WINDOWS\system32\msjet35.dll
2009-05-31 10:39:09 ----A---- C:\WINDOWS\system32\odbctl32.dll
2009-05-31 10:39:09 ----A---- C:\WINDOWS\system32\Msrepl35.dll
2009-05-31 10:39:09 ----A---- C:\WINDOWS\system32\msjter35.dll
2009-05-31 10:39:09 ----A---- C:\WINDOWS\system32\msjint35.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixthk32.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixthk16.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixpnr.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixpermn.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixperm.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixpcz.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixlocn.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixloc.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixdfltn.dll
2009-05-31 10:39:08 ----A---- C:\WINDOWS\system32\Pixdflt.dll
2009-05-31 10:39:07 ----A---- C:\WINDOWS\system32\Vb5db.dll
2009-05-31 10:39:07 ----A---- C:\WINDOWS\system32\Setbrows.exe
2009-05-31 10:39:07 ----A---- C:\WINDOWS\system32\Inetwh32.dll
2009-05-31 10:39:07 ----A---- C:\WINDOWS\system32\dao350.dll
2009-05-31 10:39:03 ----D---- C:\Program Files\TextBridge Pro 9.0
2009-05-31 10:37:48 ----D---- C:\Documents and Settings\All Users\Application Data\ScanSoft
2009-05-31 10:37:10 ----A---- C:\wialog.txt
2009-05-31 10:36:58 ----A---- C:\WINDOWS\system32\wiafbdrv.dll
2009-05-31 10:36:04 ----A---- C:\WINDOWS\logfile.txt
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\vizMicro.dll
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\Ltwvc13n.dll
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\Ltkrn13n.dll
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\Ltimg13n.dll
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\Ltfil13n.dll
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\Ltefx13n.dll
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\LTDIS13n.dll
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\LFCMP13n.DLL
2009-05-31 10:36:03 ----A---- C:\WINDOWS\system32\Lfbmp13n.dll
2009-05-31 10:36:03 ----A---- C:\WINDOWS\Ltwvc11n.dll
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\Ltkrn11n.dll
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\Ltimg11n.dll
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\Ltfil11n.dll
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\ltefx11n.dll
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\LTDIS11n.dll
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\lftif11n.dll
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\Lffax11n.dll
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\LFCMP11n.DLL
2009-05-31 10:36:02 ----A---- C:\WINDOWS\system32\Lfbmp11n.dll
2009-05-31 10:36:00 ----D---- C:\Program Files\Xerox One Touch
2009-05-31 10:32:45 ----A---- C:\WINDOWS\maxlink.ini
2009-05-31 10:32:23 ----D---- C:\Program Files\Scansoft
2009-05-31 10:32:23 ----D---- C:\Program Files\Common Files\scansoft shared
2009-05-31 10:26:00 ----A---- C:\WINDOWS\fe.INI
2009-05-31 10:25:56 ----A---- C:\WINDOWS\IHelper.exe
======List of files/folders modified in the last 1 months======
2009-06-14 06:20:59 ----D---- C:\WINDOWS\system32\CatRoot2
2009-06-14 06:20:05 ----D---- C:\WINDOWS\Temp
2009-06-14 06:15:47 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-06-14 06:15:32 ----D---- C:\Program Files\Spyware Doctor
2009-06-14 06:14:13 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-06-13 21:29:38 ----D---- C:\WINDOWS\Prefetch
2009-06-13 21:25:20 ----D---- C:\WINDOWS\system32\drivers
2009-06-13 21:25:18 ----RD---- C:\Program Files
2009-06-13 21:22:45 ----D---- C:\WINDOWS\system32
2009-06-13 21:22:45 ----D---- C:\WINDOWS
2009-06-10 16:20:58 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-06-10 15:33:44 ----SHD---- C:\WINDOWS\Installer
2009-06-10 15:32:42 ----D---- C:\Program Files\Common Files\PC Tools
2009-06-09 20:45:02 ----D---- C:\Program Files\World of Warcraft
2009-06-09 20:19:13 ----D---- C:\Program Files\Common Files
2009-05-31 17:55:03 ----A---- C:\WINDOWS\LEXSTAT.INI
2009-05-31 16:43:34 ----A---- C:\WINDOWS\win.ini
2009-05-31 11:13:51 ----D---- C:\Documents and Settings\J Simpson\Application Data\Serif
2009-05-31 11:12:13 ----D---- C:\Program Files\Serif
2009-05-31 11:08:29 ----D---- C:\WINDOWS\Help
2009-05-31 10:36:55 ----HD---- C:\WINDOWS\inf
2009-05-31 10:36:05 ----D---- C:\WINDOWS\twain_32
2009-05-31 10:36:03 ----D---- C:\WINDOWS\Driver Cache
2009-05-31 10:32:36 ----D---- C:\WINDOWS\system
2009-05-31 10:31:55 ----D---- C:\Program Files\Common Files\InstallShield
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 cmdGuard;COMODO Internet Security Sandbox Driver; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [2009-03-19 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver; C:\WINDOWS\System32\DRIVERS\cmdhlp.sys [2009-03-19 24336]
R1 pctgntdi;pctgntdi; \??\C:\WINDOWS\system32\drivers\pctgntdi.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2006-02-28 12032]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 StreamDispatcher;StreamDispatcher; C:\WINDOWS\system32\DRIVERS\strmdisp.sys [2003-05-21 30592]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2008-09-24 4122368]
R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-10-29 2826944]
R3 pctplsg;pctplsg; \??\C:\WINDOWS\system32\drivers\pctplsg.sys []
R3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-05-21 1063040]
S3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-05-21 196352]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 phil2vid;Philips USB VGA Camera; C:\WINDOWS\system32\DRIVERS\philcam2.sys [2001-08-17 173696]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-05-21 631296]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 cmdAgent;COMODO Internet Security Helper Service; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [2009-03-19 700152]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2003-02-25 303104]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2004-10-29 127043]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-01-21 1095560]
R3 ThreatFire;ThreatFire; C:\Program Files\Spyware Doctor\TFEngine\TFService.exe [2009-03-31 70944]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 getPlus(R) Helper;getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------
Thanks for all the attention :)
Jeff
Dakeyras
2009-06-14, 23:51
Hi :)
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs can be read here (http://www.bleepingcomputer.com/forums/topic114351.html)
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper
When completed the above, please post back the following:
How is you computer performing now? Any problems encountered and or any further symptoms?
ComboFix Log.
A new HijackThis Log.
jeff1955
2009-06-15, 08:20
Hi Daykeras,
Interestingly the machine seems to be running much better, I followed your instructions, disabled Spyware Doctor and COMODO Firewall, downloaded and ran ComboFix (log pasted below). Combo reported that I hadn't the Recovery Console installed, offered to download it I said yes - it then reported that it had failed to download files - and carried on with the scan. It produced the log - and another Internet Explorer Icon on my desktop (there are now 2). When I clicked my quickstart icon a message popped up saying IE was not my preferred browser would I like to make it so - I said yes.
ComboFix log
ComboFix 09-06-14.02 - J Simpson 15/06/2009 6:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.738 [GMT 1:00]
Running from: c:\documents and settings\J Simpson\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.
2009-06-14 08:08 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-06-14 08:07 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-06-14 08:07 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-06-14 08:07 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-06-14 08:07 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-06-14 08:07 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-14 08:07 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-06-14 08:07 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-06-14 08:07 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-06-14 08:07 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-14 05:51 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-14 05:51 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-06-13 20:26 . 2009-06-13 20:26 -------- d-----w- c:\documents and settings\J Simpson\Application Data\Malwarebytes
2009-06-13 20:25 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-13 20:25 . 2009-06-13 20:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-13 20:25 . 2009-06-13 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-13 20:25 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-13 12:28 . 2009-06-14 05:21 -------- d-----w- C:\rsit
2009-06-13 12:24 . 2009-06-13 12:27 -------- d-----w- C:\Rooter$
2009-06-11 07:38 . 2009-06-11 07:38 -------- d-----w- c:\program files\Trend Micro
2009-06-11 07:32 . 2009-06-11 07:33 -------- d-----w- c:\program files\ERUNT
2009-06-10 14:29 . 2009-03-31 10:23 39200 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-06-10 14:29 . 2009-03-31 10:23 33056 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-06-10 14:29 . 2009-03-31 10:23 12576 ----a-w- c:\windows\system32\drivers\TfKbMon.sys
2009-06-10 14:29 . 2009-03-31 10:23 51488 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-06-10 14:24 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-10 14:24 . 2009-04-03 10:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-10 14:24 . 2008-12-18 11:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-10 14:23 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-09 19:20 . 2009-06-09 19:20 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-09 19:20 . 2009-06-11 20:21 -------- d-----w- c:\documents and settings\J Simpson\Application Data\skypePM
2009-06-09 19:19 . 2009-06-11 20:22 -------- d-----w- c:\documents and settings\J Simpson\Application Data\Skype
2009-06-09 19:19 . 2009-06-09 19:19 -------- d-----w- c:\program files\Common Files\Skype
2009-06-09 19:19 . 2009-06-09 19:19 -------- d-----r- c:\program files\Skype
2009-06-09 19:19 . 2009-06-09 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-31 10:17 . 2009-05-31 10:17 -------- d-----w- c:\documents and settings\J Simpson\Local Settings\Application Data\Help
2009-05-31 09:37 . 2009-05-31 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-05-31 09:37 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-05-31 09:37 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-05-31 09:32 . 2009-05-31 09:39 -------- d-----w- c:\program files\Common Files\scansoft shared
2009-05-31 09:32 . 2009-05-31 09:32 -------- d-----w- c:\program files\Scansoft
2009-05-31 09:25 . 2009-05-31 09:31 270336 ----a-w- c:\windows\IHelper.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-15 04:58 . 2009-02-02 19:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-15 04:58 . 2009-02-02 19:15 -------- d-----w- c:\program files\Spyware Doctor
2009-06-11 00:25 . 2009-02-02 16:39 110760 ----a-w- c:\documents and settings\J Simpson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-10 14:32 . 2009-02-02 19:15 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-09 19:45 . 2009-02-03 06:33 -------- d-----w- c:\program files\World of Warcraft
2009-05-31 10:13 . 2009-02-11 15:05 -------- d-----w- c:\documents and settings\J Simpson\Application Data\Serif
2009-05-31 10:12 . 2009-02-11 14:40 -------- d-----w- c:\program files\Serif
2009-05-31 09:39 . 2009-05-31 09:39 -------- d-----w- c:\program files\TextBridge Pro 9.0
2009-05-31 09:37 . 2009-05-31 09:36 -------- d-----w- c:\program files\Xerox One Touch
2009-05-31 09:31 . 2009-02-02 11:10 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-17 05:50 . 2009-02-19 16:09 -------- d-----w- c:\program files\dwyco2
2009-04-16 15:04 . 2009-04-16 15:04 -------- d-----w- c:\program files\Curse
2009-04-15 14:51 . 2006-02-28 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-01 07:21 . 2009-04-01 07:21 152576 ----a-w- c:\documents and settings\J Simpson\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-01 07:04 . 2009-04-01 07:04 1409 -c--a-w- c:\windows\Fonts\SToccata.fot
2009-04-01 07:04 . 2009-04-01 07:04 4874056 ----a-w- c:\documents and settings\J Simpson\Application Data\ACAMPREF\Myriad\Updates\Install.exe
2009-03-19 14:19 . 2009-03-19 14:19 80400 -c--a-w- c:\windows\system32\drivers\inspect.sys
2009-03-19 14:19 . 2009-03-19 14:19 24336 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-03-19 14:19 . 2009-03-19 14:19 155384 ----a-w- c:\windows\system32\guard32.dll
2009-03-19 14:19 . 2009-03-19 14:19 110992 ----a-w- c:\windows\system32\drivers\cmdguard.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-03-19 1851128]
c:\documents and settings\J Simpson\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Links 2003\\LinksMMIII.exe"=
"c:\\Program Files\\dwyco2\\cdc32.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/06/2009 15:24 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [10/06/2009 15:29 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [10/06/2009 15:29 39200]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [19/03/2009 15:19 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [19/03/2009 15:19 24336]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [10/06/2009 15:24 159600]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [10/06/2009 15:29 33056]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [11/02/2009 16:19 33752]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [10/06/2009 15:23 64392]
S3 phil2vid;Philips USB VGA Camera;c:\windows\system32\drivers\philcam2.sys [19/02/2009 16:59 173696]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [02/02/2009 20:15 348752]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1;2
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-15 06:07
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\guard32.dll
- - - - - - - > 'lsass.exe'(748)
c:\windows\system32\guard32.dll
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
- - - - - - - > 'explorer.exe'(3684)
c:\windows\system32\guard32.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-15 6:09
ComboFix-quarantined-files.txt 2009-06-15 05:09
Pre-Run: 117,129,969,664 bytes free
Post-Run: 117,154,975,744 bytes free
159 --- E O F --- 2009-06-14 20:51
HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:17:25, on 15/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;2
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
--
End of file - 5486 bytes
Hope this is all you needed -
Jeff
Dakeyras
2009-06-15, 12:33
Hi :)
What ComboFix reported/created is fine and part of it normal process. It would be prudent however to have the Recovery Console installed before we proceed any further.
I think actually your COMODO Firewall blocked the installation as according to the Combofix report it was enabled during the run:
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
Blizzard Downloader Advice:
I know this relates to your installed game World of Warcraft and used for downloading files/updates etc for it but not actually wise having any open ports on your computer:
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724Personally I do not recommend this but be aware it could be used as a exploit for malware to gain access. Apart from removing this which I suspect you would not wish to as then no more updates for your game the best advice I can impart is keep a check on your firewall logs as Comodo might not always inform of a intrusion attempt and or you may just miss the notification.
Recovery Console Installation:
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System
http://i266.photobucket.com/albums/ii277/sUBs_/KB310994.gif
Download the file & save it as it's originally named, next to ComboFix.exe.
http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif
Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
At the next prompt, click 'Yes' to run the full ComboFix scan.
http://img.photobucket.com/albums/v706/ried7/RC_whatnext.gif
When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
jeff1955
2009-06-15, 22:44
Hi Dakeyras,
My computer has slowed down quite a lot over today (Monday) and not just for the first few minutes after bootup - it remains slow all the time. It is taking me a while to type this as inbetween pressing a key and the character appearing onscreen there is a definite lag of maybe half a second.
I now have 2 Internet Explorer icons on my desktop.
My Outlook Express e-mail has lost all of the mail accounts I had set up.
Otherwise things are fine ;)
I made sure Spyware Doctor and Comodo were both switched off this time. I successfully installed the windows Recovery Console and then scan - logs, as requested, below;
Combofix log
ComboFix 09-06-15.01 - J Simpson 15/06/2009 20:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.717 [GMT 1:00]
Running from: c:\documents and settings\J Simpson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\J Simpson\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.
2009-06-14 08:08 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-06-14 08:07 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-06-14 08:07 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-06-14 08:07 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-06-14 08:07 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-06-14 08:07 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-14 08:07 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-06-14 08:07 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-06-14 08:07 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-06-14 08:07 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-14 05:51 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-14 05:51 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-06-13 20:26 . 2009-06-13 20:26 -------- d-----w- c:\documents and settings\J Simpson\Application Data\Malwarebytes
2009-06-13 20:25 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-13 20:25 . 2009-06-13 20:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-13 20:25 . 2009-06-13 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-13 20:25 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-13 12:28 . 2009-06-14 05:21 -------- d-----w- C:\rsit
2009-06-13 12:24 . 2009-06-13 12:27 -------- d-----w- C:\Rooter$
2009-06-11 07:38 . 2009-06-11 07:38 -------- d-----w- c:\program files\Trend Micro
2009-06-11 07:32 . 2009-06-11 07:33 -------- d-----w- c:\program files\ERUNT
2009-06-10 14:29 . 2009-03-31 10:23 39200 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-06-10 14:29 . 2009-03-31 10:23 33056 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-06-10 14:29 . 2009-03-31 10:23 12576 ----a-w- c:\windows\system32\drivers\TfKbMon.sys
2009-06-10 14:29 . 2009-03-31 10:23 51488 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-06-10 14:24 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-10 14:24 . 2009-04-03 10:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-10 14:24 . 2008-12-18 11:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-10 14:23 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-09 19:20 . 2009-06-09 19:20 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-09 19:20 . 2009-06-11 20:21 -------- d-----w- c:\documents and settings\J Simpson\Application Data\skypePM
2009-06-09 19:19 . 2009-06-11 20:22 -------- d-----w- c:\documents and settings\J Simpson\Application Data\Skype
2009-06-09 19:19 . 2009-06-09 19:19 -------- d-----w- c:\program files\Common Files\Skype
2009-06-09 19:19 . 2009-06-09 19:19 -------- d-----r- c:\program files\Skype
2009-06-09 19:19 . 2009-06-09 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-31 10:17 . 2009-05-31 10:17 -------- d-----w- c:\documents and settings\J Simpson\Local Settings\Application Data\Help
2009-05-31 09:37 . 2009-05-31 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-05-31 09:37 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-05-31 09:37 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-05-31 09:32 . 2009-05-31 09:39 -------- d-----w- c:\program files\Common Files\scansoft shared
2009-05-31 09:32 . 2009-05-31 09:32 -------- d-----w- c:\program files\Scansoft
2009-05-31 09:25 . 2009-05-31 09:31 270336 ----a-w- c:\windows\IHelper.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-15 19:21 . 2009-02-02 19:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-15 19:21 . 2009-02-02 19:15 -------- d-----w- c:\program files\Spyware Doctor
2009-06-11 00:25 . 2009-02-02 16:39 110760 ----a-w- c:\documents and settings\J Simpson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-10 14:32 . 2009-02-02 19:15 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-09 19:45 . 2009-02-03 06:33 -------- d-----w- c:\program files\World of Warcraft
2009-05-31 10:13 . 2009-02-11 15:05 -------- d-----w- c:\documents and settings\J Simpson\Application Data\Serif
2009-05-31 10:12 . 2009-02-11 14:40 -------- d-----w- c:\program files\Serif
2009-05-31 09:39 . 2009-05-31 09:39 -------- d-----w- c:\program files\TextBridge Pro 9.0
2009-05-31 09:37 . 2009-05-31 09:36 -------- d-----w- c:\program files\Xerox One Touch
2009-05-31 09:31 . 2009-02-02 11:10 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-17 05:50 . 2009-02-19 16:09 -------- d-----w- c:\program files\dwyco2
2009-04-15 14:51 . 2006-02-28 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-01 07:21 . 2009-04-01 07:21 152576 ----a-w- c:\documents and settings\J Simpson\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-01 07:04 . 2009-04-01 07:04 1409 -c--a-w- c:\windows\Fonts\SToccata.fot
2009-04-01 07:04 . 2009-04-01 07:04 4874056 ----a-w- c:\documents and settings\J Simpson\Application Data\ACAMPREF\Myriad\Updates\Install.exe
2009-03-19 14:19 . 2009-03-19 14:19 80400 -c--a-w- c:\windows\system32\drivers\inspect.sys
2009-03-19 14:19 . 2009-03-19 14:19 24336 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-03-19 14:19 . 2009-03-19 14:19 155384 ----a-w- c:\windows\system32\guard32.dll
2009-03-19 14:19 . 2009-03-19 14:19 110992 ----a-w- c:\windows\system32\drivers\cmdguard.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-06-15_05.07.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-15 19:11 . 2009-06-15 19:11 16384 c:\windows\Temp\Perflib_Perfdata_278.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-03-19 1851128]
c:\documents and settings\J Simpson\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Links 2003\\LinksMMIII.exe"=
"c:\\Program Files\\dwyco2\\cdc32.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/06/2009 15:24 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [10/06/2009 15:29 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [10/06/2009 15:29 39200]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [19/03/2009 15:19 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [19/03/2009 15:19 24336]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [10/06/2009 15:24 159600]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [10/06/2009 15:29 33056]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [11/02/2009 16:19 33752]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [10/06/2009 15:23 64392]
S3 phil2vid;Philips USB VGA Camera;c:\windows\system32\drivers\philcam2.sys [19/02/2009 16:59 173696]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [02/02/2009 20:15 348752]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1;2
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-15 20:30
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\guard32.dll
- - - - - - - > 'lsass.exe'(744)
c:\windows\system32\guard32.dll
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
- - - - - - - > 'explorer.exe'(3804)
c:\windows\system32\guard32.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-15 20:31
ComboFix-quarantined-files.txt 2009-06-15 19:31
ComboFix2.txt 2009-06-15 05:09
Pre-Run: 117,126,840,320 bytes free
Post-Run: 117,116,260,352 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
170 --- E O F --- 2009-06-14 20:51
[B]HiJackThis log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:34:02, on 15/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;2
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
--
End of file - 4962 bytes
Hope this is what you need ....
Jeff
Dakeyras
2009-06-16, 11:19
Hi :)
My computer has slowed down quite a lot over today (Monday) and not just for the first few minutes after bootup - it remains slow all the time. It is taking me a while to type this as inbetween pressing a key and the character appearing onscreen there is a definite lag of maybe half a second.
No problem lets see what we can do to address this. Might still be malware related but having ERUNT set to create a new backup with every system reboot is not necessary. Once per week manually is sufficient, we can address that in due course.
I now have 2 Internet Explorer icons on my desktop.
Merely delete one and empty the Recycle Bin.
My Outlook Express e-mail has lost all of the mail accounts I had set up.Strange, not quite sure why this has occurred. Try launching OE again and see if the headers are re-downloaded.
Upload a Suspicious File:
There is a file I would like to be checked, please carry out the following:
Note: Internet Explorer is the browser to use for best results.
Please go to VirSCAN.org (http://virscan.org/) free on-line scan service.
Copy and paste the following file path into the "Suspicious files to scan" box at the top of the page:
c:\windows\IHelper.exe
Click on the Upload button
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply. (Ctrl & V)
F-Secure Blacklight:
Please download Blacklight from here (http://www.f-secure.com/en_US/security/security-lab/tools-and-services/blacklight/) to your desktop.
or
Link to it from the ftp site: ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save it to your desktop from there.
Go to Start-->Run, copy in the following text, and press Enter:
"%userprofile%\desktop\fsbl.exe" /expertAccept the license agreement.
Click > scan, wait for it to finish, then click Close
There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste the contents of this log into your next reply.
Check Hard Disk For Errors:
Press Start->Run, then copy/paste the following command into the box and press OK:
cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"A blank command window will open on your desktop, then close in a few minutes. This is normal.
A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file.
When completed the above, please post back the following:
How is you computer performing now? Any problems encountered and or any further symptoms?
Virscan results.
Blacklight Log.
checkhd.txt.
A new HijackThis Log.
jeff1955
2009-06-16, 15:44
Hi :)
The problem with losing my mail accounts in OE seems to be linked to using CombiFix. I reset all my accounts and OE was working fine, then I used Combifix for yesterday's report and the accounts had disappeared again - I have checked periodically today after using different pieces of software (NOT Combifix) and the accounts are all still intact.
The computer was running fine - nice and quick and smooth - until I logged in here and started this reply - and then things began to crawl again.
Anyways - here are the Links/Logs you needed;
Virscan;
VirSCAN.org Scanned Report :
Scanned time : 2009/06/16 12:38:50 (BST)
Scanner results: 3% Scanner(1/38) found malware!
File Name : IHelper.exe
File Size : 270336 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 01d7899bef54c4c6c5b1f83130a45675
SHA1 : 17dc9c6acd0926c179ae1c1ea4ec6fa61d349349
Online report : http://virscan.org/report/bacd29e8079557f7bec3f031e69db4d8.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.1 20090614213204 2009-06-14 2.64 -
AhnLab V3 2009.06.16.03 2009.06.16 2009-06-16 0.77 -
AntiVir 8.2.0.187 7.1.4.98 2009-06-16 0.43 -
Antiy 2.0.18 20090616.2549523 2009-06-16 0.12 -
Arcavir 2009 200906160932 2009-06-16 0.07 -
Authentium 5.1.1 200906151603 2009-06-15 1.80 -
AVAST! 4.7.4 090615-0 2009-06-15 0.02 -
AVG 8.5.286 270.12.73/2180 2009-06-16 3.36 -
BitDefender 7.81008.3349029 7.26014 2009-06-16 3.02 -
CA (VET) 9.0.0.143 31.6.6560 2009-06-16 4.75 -
ClamAV 0.95.1 9469 2009-06-16 0.06 -
Comodo 3.9 1341 2009-06-16 0.72 -
CP Secure 1.1.0.715 2009.06.16 2009-06-16 10.13 -
Dr.Web 4.44.0.9170 2009.06.16 2009-06-16 4.82 -
F-Prot 4.4.4.56 20090615 2009-06-15 1.75 -
F-Secure 5.51.6100 2009.06.16.04 2009-06-16 0.10 -
Fortinet 2.81-3.117 10.502 2009-06-16 0.26 -
GData 19.5856/19.365 20090616 2009-06-16 4.98 -
ViRobot 20090616 2009.06.16 2009-06-16 0.49 -
Ikarus T3.1.01.59 2009.06.15.72872 2009-06-15 3.38 -
JiangMin 11.0.706 2009.06.16 2009-06-16 2.00 -
Kaspersky 5.5.10 2009.06.16 2009-06-16 0.08 -
KingSoft 2009.2.5.15 2009.6.16.18 2009-06-16 0.50 -
McAfee 5.3.00 5647 2009-06-15 3.08 -
Microsoft 1.4701 2009.06.16 2009-06-16 4.35 -
mks_vir 2.01 2009.06.15 2009-06-15 3.23 -
Norman 6.01.09 6.01.00 2009-06-16 4.01 -
Panda 9.05.01 2009.06.15 2009-06-15 1.69 -
Trend Micro 8.700-1004 6.196.03 2009-06-16 0.04 -
Quick Heal 10.00 2009.06.16 2009-06-16 1.26 -
Rising 20.0 21.34.13.00 2009-06-16 0.85 -
Sophos 2.87.1 4.42 2009-06-16 2.50 -
Sunbelt 5191 5191 2009-06-15 1.14 -
Symantec 1.3.0.24 20090615.003 2009-06-15 0.05 -
nProtect 20090616.03 4261430 2009-06-16 5.51 -
The Hacker 6.3.4.3 v00345 2009-06-15 0.71 -
VBA32 3.12.10.7 20090615.1405 2009-06-15 2.08 Win32 Shadow AutoStart Install (suspicious)
VirusBuster 4.5.11.10 10.107.14/1629766 2009-06-15 2.19 -
Blacklight Log
06/16/09 13:26:41 [Info]: BlackLight Engine 2.2.1092 initialized
06/16/09 13:26:41 [Info]: OS: 5.1 build 2600 (Service Pack 3)
06/16/09 13:26:41 [Note]: 7019 4
06/16/09 13:26:41 [Note]: 7005 0
06/16/09 13:26:44 [Note]: 7006 0
06/16/09 13:26:44 [Note]: 7022 0
06/16/09 13:26:44 [Note]: 7011 1756
06/16/09 13:26:44 [Note]: 7035 0
06/16/09 13:26:44 [Note]: 7026 0
06/16/09 13:26:44 [Note]: 7026 0
06/16/09 13:26:44 [Note]: FSRAW library version 1.7.1024
06/16/09 13:29:01 [Note]: 7007 0
Checkhd log
The type of the file system is NTFS.
WARNING! F parameter not specified.
Running CHKDSK in read-only mode.
CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...
CHKDSK is recovering lost files.
CHKDSK is verifying security descriptors (stage 3 of 3)...
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Correcting errors in the Volume Bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.
160826683 KB total disk space.
46240744 KB in 78514 files.
23252 KB in 4781 indexes.
0 KB in bad sectors.
171891 KB in use by the system.
65536 KB occupied by the log file.
114390796 KB available on disk.
4096 bytes in each allocation unit.
40206670 total allocation units on disk.
28597699 allocation units available on disk.
HiJackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:33:16, on 16/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;2
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
--
End of file - 5233 bytes
Hope this is what you need ...
Jeff
Dakeyras
2009-06-16, 21:57
Hi :)
I now think the current problems that have arisen because the initial ComboFix run without the Comodo Firewall correctly disabled caused this. No irreparable harm done and we should be able to rectify the situation plus hopefully will not need to run the aforementioned again. But we will leave it and its backups etc in-place for the time being as a precaution. When I give the all clear there is a specific methodology required to uninstall ComboFix.
Next:
Temp' disable your Comodo Firewall, this is so it does not hinder the HijackThis Fixes below.
Next:
Please re-open HiJackThis and select Scan. Check the boxes next to all the entries listed below (if present):
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
Now click on Fix Checked. Close HiJackThis.
Next:
Now click Start >> Run and type cleanmgr in the box and press OK.
Ensure the boxes for Temporary Files, Temporary Internet Files and Recycle Bin are checked.
You can choose to check other boxes if you wish but they are not required.
Click on OK then Yes.
Hard-Drive Maintenance/Repair:
Note: for the CHKDSK portion you may refer to this tutorial of mine here (http://forums.whatthetech.com/How_run_CHKDSK_Windows_XP_t102348.html) and follow the instructions for Graphical Mode if you so wish.
Click Start >> Run... then type in CMD and click on OK.
At the Command Prompt C:\ > type the following:
CD C:\ and hit the Enter/Return key.
Now type in DEFRAG C: -F
A Analysis report will be displayed and then Windows will start the Defragmention run automatically.
This may take some time, when completed the Command Prompt C:\ > will appear.
Now type in CHKDSK C: /R and hit the Enter/Return key.
When prompted with:
CHKDSK cannot run because the volume is in use by another process
Would you like to schedule this volume to be checked next time the system
restarts (Y/N)
Hit the Y key then at the Command Prompt C:\ >
Type in EXIT and and hit the Enter/Return key.
Now Reboot(Restart) your computer.
Note: Upon Reboot(Restart) the CHKDSK(check-disk) will start and carry out the repairs required.
You should see a screen like this just after the Post(power on self test) screen:
http://i223.photobucket.com/albums/dd202/Dakeyras_album/ChkDsk01.png
Note: Do not touch either the keyboard or Mouse, otherwise the Check-Disk will be canceled and you computer will continue to boot-up as normal.
When completed the above, please post back the following:
How is you computer performing now? Any problems encountered and or any further symptoms?
A new HijackThis Log.
jeff1955
2009-06-17, 10:10
Hi D :)
System seems to be working fine;
Boot up from off took 35 seconds, no major activity and machine seems quick and smooth.
Apologies for the delay in replying but Defrag and Disc Check took a while!
Log as requested;
HiJackThis Log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:06:20, on 17/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;2
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
--
End of file - 5307 bytes
Thanks for all this attention :)
Jeff
Dakeyras
2009-06-17, 12:54
Hi :)
System seems to be working fine;
Boot up from off took 35 seconds, no major activity and machine seems quick and smooth.
Very good.
Apologies for the delay in replying but Defrag and Disc Check took a while!Not a problem and actually no need to apoligise but I do appreciate both the courtesy and manners. I thought the HDD Maint' might take some time but in the long run it is worth it.
Thanks for all this attention :)You're welcome!
OK as a final check it would be prudent to run a online scan as this will determine if your machine is indeed malware free and no other nasties lurking. If anything found we can then take the appropriate action.
There may be a chance that the infections removed by Combofix and currently residing in the quarantine folder may be flagged as will any lurking in the System Restore points, this is not a cause for concern I will add as they will be removed during the ComboFix uninstall procedure.
Run Kaspersky Online AV Scanner:
Go to this Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/pages/default/check.html?n=1242123288046) and perform an online antivirus scan.
Note: Use Internet Explorer for this scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
This online tuturial (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif) will help explain how to use the aforementioned online scan.
When completed the above, please post back the following:
How is you computer performing now? Any problems encountered and or any further symptoms?
Kaspersky report.
A new HijackThis Log.
jeff1955
2009-06-18, 00:40
Hi D :)
OK - everything is running well, no sluggishness or crashes.
Outlook Express working fine.
So here are the logs;
Kaspersky Scan;
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, June 17, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, June 17, 2009 21:58:23
Records in database: 2358335
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
W:\
X:\
Y:\
Z:\
Scan statistics:
Files scanned: 77046
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:20:01
No malware has been detected. The scan area is clean.
The selected area was scanned.
HiJackThis Log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:39:20, on 17/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;2
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
--
End of file - 5356 bytes
Jeff :)
Dakeyras
2009-06-18, 02:54
Hi :)
OK - everything is running well, no sluggishness or crashes.
Outlook Express working fine.:bigthumb:
Next:
Congratulations your computer now appears to be malware free!
Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.
Importance of Regular System Maintenance:
I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.
Help! My computer is slow! (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)
Also so is this:
What to do if your Computer is running slowly (http://www.malwareremoval.com/tutorials/runningslowly.php)
Uninstall ComboFix:
Click on Start >> Run...
Now type in Combofix /u in the and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Cleanup with OTC:
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe)and save it to desktop. This tool will remove all the tools we used to clean your computer
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
Now some advice for on-line safety:
Malwarebyte's Anti-Malware:
This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.
Other installed security software:
Your presently installed application, Spyware Doctor with AntiVirus automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.
I advise you also run a complete scan with this also once per week.
Erunt:
Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.
Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!
Keep your system updated:
Microsoft releases patches for Windows and other products regularly:
I advise you visit: http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
Install the Active X
Once installed it will advise set Auto-Updates if not set and you then you will be able to manually check for updates also via:
Start >> All Programs >> Microsoft Updates
Be careful when opening attachments and downloading files:
Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge (http://sourceforge.net/) or Pricelessware (http://www.pricelesswarehome.org/).
Stop malicious scripts:
Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript (http://www.symantec.com/avcenter/noscript.exe) by Symantec or Script Defender (http://www.analogx.com/contents/download/system/sdefend.htm) by AnalogX to handle these scripts.
Make your Internet Explorer safer:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.Avoid Peer to Peer software:
P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice avoid these types of software applications.
Hosts File:
A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.
Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.
Here are some Hosts files:
MVPS Hosts File (http://www.mvps.org/winhelp2002/hosts.htm)
Bluetack's Hosts File (http://www.bluetack.co.uk/forums/index.php?showtopic=8406)
Bluetack's Host Manager (http://www.bluetack.co.uk/forums/index.php?autocom=faq&CODE=02&qid=16)
hpHosts (http://hphosts.mysteryfcm.co.uk/?s=Download).
Only use one of the above.
Finally a educational source:
To learn more about how to protect yourself while on the internet read this article by Tony Klein:
So how did I get infected in the first place? (http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=4959)
Some consider this article outdated, personally I still think it bares relevance and the author is well respected in the Anti-Malware community and by myself also!
Any questions,feel free to ask? If not stay safe!
jeff1955
2009-06-18, 09:42
Hi D :)
Great job - thank you so much for leading me, so brilliantly, through this minefield.
The PC is running very efficiently, boot up took just 34 seconds from off, and software I used within seconds of full bootup ran very smoothly.
I have taken all your advice - though all my settings in Internet Explorer were already as you advised them to be set.
Good luck with all the problems you are about to solve - those troubled users are in good hands :)
Jeff
Dakeyras
2009-06-18, 14:32
Your are very welcome! And thank you :)
Dakeyras
2009-06-20, 14:07
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.