View Full Version : computer not working propely after malware removal
i had gotten antivirus antispyware 2011. i had to end up taking it to a shop. and they got it going again. but it was recommended that i wipe the computer and reinstall my winxp sp3. i cant wipe my computer. i have way too many things that i need to save.
i need this computer tuned back up better than it is right now. i cant update my java or some of my other files. my printer wont print out some stuff for me. i think it requires a java update. but i am guessing.
anyway here is my dds. and my attach txt.
.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by user1 at 0:55:07 on 2011-06-23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.621 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: NitroPDFBHO Class: {cf070cb8-f02f-4af4-a7b7-8d45cad4bb54} - c:\program files\nitro pdf\pdf download\NitroPDF.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\user1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_en_US.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file://e:\content\include\XPPatchInstaller.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos1.walmart.com/WalmartActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1305513445328
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://aolsvc.aol.com/onlinegames/luxor/mjolauncher.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{16EC8109-7AA0-46A7-9CA4-03BDFB652C15} : DhcpNameServer = 10.0.0.1
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user1\application data\mozilla\firefox\profiles\b58fxe4c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\user1\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\user1\application data\move networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\user1\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\user1\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\clickpotatolite\bin\10.0.630.0\firefox\extensions\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 10450752;10450752 Boot Guard Driver;c:\windows\system32\drivers\10450752.sys [2011-5-16 37392]
R0 30583512;30583512 Boot Guard Driver;c:\windows\system32\drivers\30583512.sys [2011-5-3 37392]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-4-29 64512]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-3-5 28544]
R1 10450751;10450751;c:\windows\system32\drivers\10450751.sys [2011-5-16 128016]
R1 setup_9.0.0.722_04.05.2011_01-35drv;setup_9.0.0.722_04.05.2011_01-35drv;c:\windows\system32\drivers\1045075.sys [2011-5-16 315408]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-3-10 22504]
S1 30583511;30583511;c:\windows\system32\drivers\30583511.sys --> c:\windows\system32\drivers\30583511.sys [?]
S2 cjochxnc;cjochxnc; [x]
S2 gupdate1ca12677b4877de;Google Update Service (gupdate1ca12677b4877de);c:\program files\google\update\GoogleUpdate.exe [2011-6-7 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-29 15232]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;\??\c:\program files\msi\live update 5\msibios32_100507.sys --> c:\program files\msi\live update 5\msibios32_100507.sys [?]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4;\??\c:\program files\msi\live update 5\ntiolib.sys --> c:\program files\msi\live update 5\NTIOLib.sys [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-29 2146496]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-05-17 17:18:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-06 04:30:05 0 ----a-w- c:\windows\Emikalepetiyogov.bin
2011-04-30 03:44:08 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-30 03:44:02 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-29 17:12:00 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
.
============= FINISH: 0:56:59.09 ===============
Hi,
If help still needed post fresh dds logs.
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by user1 at 9:42:12.21 on Sat 07/02/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.194 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\SPOOL\DRIVERS\W32X86\3\LXBKPSWX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user1\Desktop\setup files\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: NitroPDFBHO Class: {cf070cb8-f02f-4af4-a7b7-8d45cad4bb54} - c:\program files\nitro pdf\pdf download\NitroPDF.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\user1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_en_US.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file://e:\content\include\XPPatchInstaller.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos1.walmart.com/WalmartActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1305513445328
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://aolsvc.aol.com/onlinegames/luxor/mjolauncher.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user1\applic~1\mozilla\firefox\profiles\b58fxe4c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\user1\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\user1\application data\move networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\user1\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\user1\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 10450752;10450752 Boot Guard Driver;c:\windows\system32\drivers\10450752.sys [2011-5-16 37392]
R0 30583512;30583512 Boot Guard Driver;c:\windows\system32\drivers\30583512.sys [2011-5-3 37392]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-4-29 64512]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-3-5 28544]
R1 10450751;10450751;c:\windows\system32\drivers\10450751.sys [2011-5-16 128016]
R1 setup_9.0.0.722_04.05.2011_01-35drv;setup_9.0.0.722_04.05.2011_01-35drv;c:\windows\system32\drivers\1045075.sys [2011-5-16 315408]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-3-10 22504]
S1 30583511;30583511;c:\windows\system32\drivers\30583511.sys --> c:\windows\system32\drivers\30583511.sys [?]
S2 cjochxnc;cjochxnc; [x]
S2 gupdate1ca12677b4877de;Google Update Service (gupdate1ca12677b4877de);c:\program files\google\update\GoogleUpdate.exe [2011-6-7 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-29 15232]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;\??\c:\program files\msi\live update 5\msibios32_100507.sys --> c:\program files\msi\live update 5\msibios32_100507.sys [?]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4;\??\c:\program files\msi\live update 5\ntiolib.sys --> c:\program files\msi\live update 5\NTIOLib.sys [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-29 2146496]
.
=============== Created Last 30 ================
.
2011-06-25 05:51:05 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-25 05:51:04 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
.
==================== Find3M ====================
.
2011-06-25 05:55:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-06 04:30:05 0 ----a-w- c:\windows\Emikalepetiyogov.bin
2011-04-30 03:44:02 16432 ----a-w- c:\windows\system32\lsdelete.exe
.
============= FINISH: 9:44:13.31 ===============
one thing i have found out is that my windows installer is bad. i read some insturcutions on how to fix it. but that didnt restart it. i think i may need to remove it or reregester it. i stopped until you could look at it.
Hi
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
ComboFix 11-07-02.02 - user1 07/03/2011 11:16:24.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.593 [GMT -5:00]
Running from: c:\documents and settings\user1\Desktop\setup files\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\user1\Application Data\Adobe\plugs
c:\documents and settings\user1\Application Data\Adobe\plugs\mmc254116562.txt
c:\documents and settings\user1\Application Data\Adobe\plugs\mmc254244000.txt
c:\documents and settings\user1\Application Data\Adobe\shed
c:\documents and settings\user1\Application Data\Adobe\shed\thr1.chm
c:\documents and settings\user1\Application Data\Erleuq
c:\documents and settings\user1\Application Data\Erleuq\huosu.exe
c:\documents and settings\user1\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-06-03 to 2011-07-03 )))))))))))))))))))))))))))))))
.
.
2011-06-25 05:51 . 2011-06-25 05:51 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-25 05:51 . 2011-06-25 05:51 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-21 23:59 . 2011-06-21 23:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-25 05:55 . 2011-05-17 17:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-30 03:44 . 2011-04-30 03:44 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-30 03:44 . 2011-05-01 00:00 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-29 17:12 . 2011-04-30 03:24 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-06-25 05:51 . 2011-05-14 23:01 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-03-28 57344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-12 44544]
.
c:\documents and settings\user1\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-8-11 757760]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^user1^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\user1\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^user1^Start Menu^Programs^Startup^setup_9.0.0.722_04.05.2011_01-35.lnk]
path=c:\documents and settings\user1\Start Menu\Programs\Startup\setup_9.0.0.722_04.05.2011_01-35.lnk
backup=c:\windows\pss\setup_9.0.0.722_04.05.2011_01-35.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 05:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 -c--a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-05-14 06:35 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 02:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 06:06 1667584 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-08-01 05:13 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2010-04-28 18:15 2633976 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"YahooAUService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"gupdate1ca12677b4877de"=2 (0x2)
"Bonjour Service"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
.
R0 10450752;10450752 Boot Guard Driver;c:\windows\system32\drivers\10450752.sys [5/16/2011 10:23 AM 37392]
R0 30583512;30583512 Boot Guard Driver;c:\windows\system32\drivers\30583512.sys [5/3/2011 9:09 PM 37392]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/29/2011 10:24 PM 64512]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [3/5/2009 11:05 PM 28544]
R1 10450751;10450751;c:\windows\system32\drivers\10450751.sys [5/16/2011 10:23 AM 128016]
R1 setup_9.0.0.722_04.05.2011_01-35drv;setup_9.0.0.722_04.05.2011_01-35drv;c:\windows\system32\drivers\1045075.sys [5/16/2011 10:23 AM 315408]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [3/10/2011 6:44 PM 22504]
S1 30583511;30583511;c:\windows\system32\DRIVERS\30583511.sys --> c:\windows\system32\DRIVERS\30583511.sys [?]
S2 cjochxnc;cjochxnc; [x]
S2 gupdate1ca12677b4877de;Google Update Service (gupdate1ca12677b4877de);c:\program files\Google\Update\GoogleUpdate.exe [6/7/2011 12:20 AM 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [4/29/2011 12:11 PM 15232]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;\??\c:\program files\MSI\Live Update 5\msibios32_100507.sys --> c:\program files\MSI\Live Update 5\msibios32_100507.sys [?]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4;\??\c:\program files\MSI\Live Update 5\NTIOLib.sys --> c:\program files\MSI\Live Update 5\NTIOLib.sys [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [4/29/2011 12:11 PM 2146496]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-29 17:11]
.
2011-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 05:20]
.
2011-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 05:20]
.
2011-07-03 c:\windows\Tasks\User_Feed_Synchronization-{774B4476-EF28-4D16-A7C5-5EB17D2CDA47}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
TCP: DhcpNameServer = 10.0.0.1
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file://e:\content\include\XPPatchInstaller.CAB
FF - ProfilePath - c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\b58fxe4c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-AntiVirus AntiSpyware 2011 - c:\documents and settings\user1\Application Data\AntiVirus AntiSpyware 2011\AntiVirus AntiSpyware.exe
MSConfigStartUp-AntiVirus AntiSpyware 2011 Security - c:\documents and settings\user1\Application Data\AntiVirus AntiSpyware 2011\securitymanager.exe
MSConfigStartUp-AntiVirus_AntiSpyware_2011 - c:\documents and settings\user1\Application Data\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe
MSConfigStartUp-BDRegion - c:\program files\Cyberlink\Shared Files\brs.exe
MSConfigStartUp-ClickPotatoLiteSA - c:\program files\ClickPotatoLite\bin\10.0.630.0\ClickPotatoLiteSA.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-PopRock - c:\docume~1\user1\LOCALS~1\Temp\a.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-Xmijabiperewehap - c:\windows\ahagogutagesa.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-03 11:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-963894560-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:30,2e,8a,eb,22,96,c2,4e,bb,15,e9,f2,a5,03,f1,37,9c,3e,cb,d5,65,be,d1,
42,40,e2,1b,ab,a1,5b,f4,24,72,89,cb,35,3e,b0,a1,56,3c,01,35,d5,b6,04,17,1d,\
"??"=hex:c2,57,f9,dd,03,8d,ae,f9,3e,6c,9f,c4,4a,42,6e,a4
.
Completion time: 2011-07-03 11:35:27
ComboFix-quarantined-files.txt 2011-07-03 16:35
.
Pre-Run: 306,786,304 bytes free
Post-Run: 896,163,840 bytes free
.
- - End Of File - - D2B1DB67269F5AFBFE0AE1BD5721126E
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by user1 at 11:41:34.36 on Sun 07/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.590 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\SPOOL\DRIVERS\W32X86\3\LXBKPSWX.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user1\Desktop\setup files\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: NitroPDFBHO Class: {cf070cb8-f02f-4af4-a7b7-8d45cad4bb54} - c:\program files\nitro pdf\pdf download\NitroPDF.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\user1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_en_US.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file://e:\content\include\XPPatchInstaller.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos1.walmart.com/WalmartActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1305513445328
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://aolsvc.aol.com/onlinegames/luxor/mjolauncher.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user1\applic~1\mozilla\firefox\profiles\b58fxe4c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 10450752;10450752 Boot Guard Driver;c:\windows\system32\drivers\10450752.sys [2011-5-16 37392]
R0 30583512;30583512 Boot Guard Driver;c:\windows\system32\drivers\30583512.sys [2011-5-3 37392]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-4-29 64512]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-3-5 28544]
R1 10450751;10450751;c:\windows\system32\drivers\10450751.sys [2011-5-16 128016]
R1 setup_9.0.0.722_04.05.2011_01-35drv;setup_9.0.0.722_04.05.2011_01-35drv;c:\windows\system32\drivers\1045075.sys [2011-5-16 315408]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-3-10 22504]
S1 30583511;30583511;c:\windows\system32\drivers\30583511.sys --> c:\windows\system32\drivers\30583511.sys [?]
S2 cjochxnc;cjochxnc; [x]
S2 gupdate1ca12677b4877de;Google Update Service (gupdate1ca12677b4877de);c:\program files\google\update\GoogleUpdate.exe [2011-6-7 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-29 15232]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;\??\c:\program files\msi\live update 5\msibios32_100507.sys --> c:\program files\msi\live update 5\msibios32_100507.sys [?]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4;\??\c:\program files\msi\live update 5\ntiolib.sys --> c:\program files\msi\live update 5\NTIOLib.sys [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-29 2146496]
.
=============== Created Last 30 ================
.
2011-07-03 14:55:25 518144 ----a-w- c:\windows\SWREG.exe
2011-07-03 14:55:25 256000 ----a-w- c:\windows\PEV.exe
2011-07-03 14:55:25 208896 ----a-w- c:\windows\MBR.exe
2011-07-03 14:55:24 98816 ----a-w- c:\windows\sed.exe
2011-06-25 05:51:05 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-25 05:51:04 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
.
==================== Find3M ====================
.
2011-06-25 05:55:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-06 04:30:05 0 ----a-w- c:\windows\Emikalepetiyogov.bin
2011-04-30 03:44:02 16432 ----a-w- c:\windows\system32\lsdelete.exe
.
============= FINISH: 11:42:35.97 ===============
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
cjochxnc
DDS::
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Uninstall old Adobe Reader versions and get the latest one (Adobe Reader 10.1) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 26 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u26-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked.
Click Scan
Wait for the scan to finish.
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. Any symptoms left?
my main reason for coming and asking to look my computer over. is because when i go to update java and adobe now. the computer pops up a message saying my windows installer is running in safe mode or is bad. i have looked up this on the internet. and have found that i may need ot unregister the windows installer or do soemthing to the registry values. but i either didnt understand what they were talking about. or i couldnt figure out how to do the registering thing. so i had to stop. i have ran the script. but cant update java or adobe. i am trying right now to download java manually from the link you provided. i have done the combo fix drag and drop. i have not yet been to eset yet.
but i wanted to say this and show the combofix and dds log here before doing anything else. my system is still running the same as it was. all i have seen so far is the icons on the desktop change to corrected pictures instead of missing pictures.
ComboFix 11-07-02.02 - user1 07/03/2011 12:48:30.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.703 [GMT -5:00]
Running from: c:\documents and settings\user1\Desktop\setup files\ComboFix.exe
Command switches used :: c:\documents and settings\user1\Desktop\cfscript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_CJOCHXNC
-------\Service_cjochxnc
.
.
((((((((((((((((((((((((( Files Created from 2011-06-03 to 2011-07-03 )))))))))))))))))))))))))))))))
.
.
2011-06-25 05:51 . 2011-06-25 05:51 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-25 05:51 . 2011-06-25 05:51 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-21 23:59 . 2011-06-21 23:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-25 05:55 . 2011-05-17 17:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-30 03:44 . 2011-04-30 03:44 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-30 03:44 . 2011-05-01 00:00 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-29 17:12 . 2011-04-30 03:24 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-06-25 05:51 . 2011-05-14 23:01 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-03_16.30.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-03 18:04 . 2011-07-03 18:04 40960 c:\windows\temp\rtdrvmon.exe
+ 2011-07-03 18:04 . 2011-07-03 18:04 16384 c:\windows\temp\Perflib_Perfdata_70c.dat
+ 2011-07-03 17:30 . 2011-07-03 17:30 294912 c:\windows\ERDNT\AutoBackup\7-3-2011\Users\00000002\UsrClass.dat
+ 2011-07-03 17:30 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\7-3-2011\ERDNT.EXE
+ 2011-07-03 17:30 . 2011-07-03 17:30 8581120 c:\windows\ERDNT\AutoBackup\7-3-2011\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-03-28 57344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-12 44544]
.
c:\documents and settings\user1\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-8-11 757760]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^user1^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\user1\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^user1^Start Menu^Programs^Startup^setup_9.0.0.722_04.05.2011_01-35.lnk]
path=c:\documents and settings\user1\Start Menu\Programs\Startup\setup_9.0.0.722_04.05.2011_01-35.lnk
backup=c:\windows\pss\setup_9.0.0.722_04.05.2011_01-35.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 05:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 -c--a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-05-14 06:35 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 02:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 06:06 1667584 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-08-01 05:13 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2010-04-28 18:15 2633976 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"YahooAUService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"gupdate1ca12677b4877de"=2 (0x2)
"Bonjour Service"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
.
R0 10450752;10450752 Boot Guard Driver;c:\windows\system32\drivers\10450752.sys [5/16/2011 10:23 AM 37392]
R0 30583512;30583512 Boot Guard Driver;c:\windows\system32\drivers\30583512.sys [5/3/2011 9:09 PM 37392]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/29/2011 10:24 PM 64512]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [3/5/2009 11:05 PM 28544]
R1 10450751;10450751;c:\windows\system32\drivers\10450751.sys [5/16/2011 10:23 AM 128016]
R1 setup_9.0.0.722_04.05.2011_01-35drv;setup_9.0.0.722_04.05.2011_01-35drv;c:\windows\system32\drivers\1045075.sys [5/16/2011 10:23 AM 315408]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [3/10/2011 6:44 PM 22504]
S1 30583511;30583511;c:\windows\system32\DRIVERS\30583511.sys --> c:\windows\system32\DRIVERS\30583511.sys [?]
S2 gupdate1ca12677b4877de;Google Update Service (gupdate1ca12677b4877de);c:\program files\Google\Update\GoogleUpdate.exe [6/7/2011 12:20 AM 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [4/29/2011 12:11 PM 15232]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;\??\c:\program files\MSI\Live Update 5\msibios32_100507.sys --> c:\program files\MSI\Live Update 5\msibios32_100507.sys [?]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4;\??\c:\program files\MSI\Live Update 5\NTIOLib.sys --> c:\program files\MSI\Live Update 5\NTIOLib.sys [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [4/29/2011 12:11 PM 2146496]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-29 17:11]
.
2011-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 05:20]
.
2011-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 05:20]
.
2011-07-03 c:\windows\Tasks\User_Feed_Synchronization-{774B4476-EF28-4D16-A7C5-5EB17D2CDA47}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
TCP: DhcpNameServer = 10.0.0.1
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file://e:\content\include\XPPatchInstaller.CAB
FF - ProfilePath - c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\b58fxe4c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-03 13:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-963894560-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:30,2e,8a,eb,22,96,c2,4e,bb,15,e9,f2,a5,03,f1,37,9c,3e,cb,d5,65,be,d1,
42,40,e2,1b,ab,a1,5b,f4,24,72,89,cb,35,3e,b0,a1,56,3c,01,35,d5,b6,04,17,1d,\
"??"=hex:c2,57,f9,dd,03,8d,ae,f9,3e,6c,9f,c4,4a,42,6e,a4
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3436)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\msiexec.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
.
**************************************************************************
.
Completion time: 2011-07-03 13:11:51 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-03 18:11
ComboFix2.txt 2011-07-03 16:35
.
Pre-Run: 859,463,680 bytes free
Post-Run: 789,786,624 bytes free
.
- - End Of File - - 083B12CE9F48596FF0949452761035B2
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by user1 at 13:49:11.81 on Sun 07/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.656 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user1\Desktop\setup files\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: NitroPDFBHO Class: {cf070cb8-f02f-4af4-a7b7-8d45cad4bb54} - c:\program files\nitro pdf\pdf download\NitroPDF.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\user1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_en_US.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file://e:\content\include\XPPatchInstaller.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos1.walmart.com/WalmartActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1305513445328
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://aolsvc.aol.com/onlinegames/luxor/mjolauncher.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user1\applic~1\mozilla\firefox\profiles\b58fxe4c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\user1\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\user1\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 10450752;10450752 Boot Guard Driver;c:\windows\system32\drivers\10450752.sys [2011-5-16 37392]
R0 30583512;30583512 Boot Guard Driver;c:\windows\system32\drivers\30583512.sys [2011-5-3 37392]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-4-29 64512]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-3-5 28544]
R1 10450751;10450751;c:\windows\system32\drivers\10450751.sys [2011-5-16 128016]
R1 setup_9.0.0.722_04.05.2011_01-35drv;setup_9.0.0.722_04.05.2011_01-35drv;c:\windows\system32\drivers\1045075.sys [2011-5-16 315408]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-3-10 22504]
S1 30583511;30583511;c:\windows\system32\drivers\30583511.sys --> c:\windows\system32\drivers\30583511.sys [?]
S2 gupdate1ca12677b4877de;Google Update Service (gupdate1ca12677b4877de);c:\program files\google\update\GoogleUpdate.exe [2011-6-7 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-29 15232]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;\??\c:\program files\msi\live update 5\msibios32_100507.sys --> c:\program files\msi\live update 5\msibios32_100507.sys [?]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4;\??\c:\program files\msi\live update 5\ntiolib.sys --> c:\program files\msi\live update 5\NTIOLib.sys [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-29 2146496]
.
=============== Created Last 30 ================
.
2011-07-03 18:48:44 -------- d-s---w- C:\ComboFix
2011-07-03 14:55:25 518144 ----a-w- c:\windows\SWREG.exe
2011-07-03 14:55:25 256000 ----a-w- c:\windows\PEV.exe
2011-07-03 14:55:25 208896 ----a-w- c:\windows\MBR.exe
2011-07-03 14:55:24 98816 ----a-w- c:\windows\sed.exe
2011-06-25 05:51:05 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-25 05:51:04 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
.
==================== Find3M ====================
.
2011-06-25 05:55:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-06 04:30:05 0 ----a-w- c:\windows\Emikalepetiyogov.bin
2011-04-30 03:44:02 16432 ----a-w- c:\windows\system32\lsdelete.exe
.
============= FINISH: 13:50:43.32 ===============
Hi,
Delete c:\windows\Emikalepetiyogov.bin file too. You may try the following steps to fix Windows Installer problem.
1. Download Dial-a-Fix archive file here (http://wiki.lunarsoft.net/wiki/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles).
2. Extract contents to suitable place (e.g. your desktop) and navigate to that location.
3. Double-click Dial-a-Fix.exe file to execute the program.
4. Checkmark Fix Windows Installer -checkbox. It's possible that the program checks some options automatically after that. Leave those untouched and click GO -button.
When tool has finished, reboot and see if problem still stays.
thgat worked. i now have both java and adobe updated. thank you. now if internet explorer and firefox would only open as fast as they used to. i have no idea what is slowing them down.
Hi,
Did you scan with ESET yet?
How long does it take browsers to start and do they work as slowly with addons disabled or not?
wow i thought they were all gone. but eset found these.
C:\Qoobox\Quarantine\C\Documents and Settings\user1\Application Data\Adobe\plugs\mmc254116562.txt.vir a variant of Win32/Kryptik.NKK trojan
C:\Qoobox\Quarantine\C\Documents and Settings\user1\Application Data\Erleuq\huosu.exe.vir a variant of Win32/Kryptik.OOK trojan
C:\System Volume Information\_restore{921B7F7C-86BD-4328-84F1-FBA1287D34DD}\RP50\A0014309.exe a variant of Win32/Kryptik.OOK trojan
there are several system volume info restore files that have been quarntined as well as click potato and something to do with sun java cache.
i am thinking i can just delete the folder Qoobox. but i dont know what to do about the system volume information.
as far as how fast the browser open. it isnt immediate anymore. it takes a few minutes for them to be ready to type in your web address. firefox has always been liek that. but internet explorer has just started doing this after the antivirus antispyware problem.
oops. i am unsure about the add ons. i havent tried to remove any of them. i am not even sure i have very many that arent kind of required just to run the computer for day to day operation.
Hi,
Those ESET findings will be removed when system restore is reseted and ComboFix uninstalled.
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
See if browsers load any faster after that.
all of that has been done. i also removed two of internet explorers accelorators. blog and email. i wont ever use those. i noticed java was disabled when looking at toolbars and extensions. the only thing i saw that was enabled besides ie spell was nitro pdf. and i dont know why i had that put on this computer.
firefox has several versions of java shown under the extensions. including the one new update.
both take longer than i think is usual for them to start up.
Hi,
Have you defragged your hard drive partitions lately? If not please do that. Also, please check how much free space you have there at the moment. Low disk space would cause slowness too.
i cant figure out how to defrag this machine with the auto task. the low disc space warning coems up but doesnt work properly.
For defragging I'd use 3rd party solution. Good commercial ones are PerfectDisk (http://www.perfectdisk.com/home) and Diskeeper (http://www.diskeeper.com/diskeeper/home/diskeeper.aspx). Of free options I recommend MyDefrag (http://www.mydefrag.com/) and Piriform Defraggler (http://www.piriform.com/defraggler).
Due to inactivity, this thread will now be closed.
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.