multipul problems after fake spybot remover downloaded

Status
Not open for further replies.
RAM:
I have too many unneeded programs loading at start up that are draining my available RAM.
Click to expand...
Yes, that is an issue we need to correct, but you have other issues that I believe need to be addressed first.

http://www.processlibrary.com/directory/files/svchost/ <<< read this:
Acting as a host, the file svchost.exe creates multiple instances of itself.
Click to expand...
Defrag: If the program you downloaded worked, fine. I would like to know what error message you get when you try to run the Windows XP defrag, that might tell us why it is not working?

Combofix: delete the program (right click) and download it again, this time before you save it to the Desktop, checkge the name like this:

You must rename it before saving it, save it to your Desktop.

CF_download_rename.gif



I will comment briefly on any number in the last post that needs a comment.

2. Can be many reason and difficult to troubleshoot without error messages. Out of date drivers often cause this and you had three out of date, are they updated now?

3. Spybot S&D is the least of your problems. Please do not try to use it. Once all other issues are resolved, then you can uninstall it and reinstall it, that will likely fix issues with the program. If not, you can discuss that with Spybot S&D experts here:
http://forums.spybot.info/forumdisplay.php?f=4

4. post error messages word for word.

5. What browser are you using when this happens? Did you try another browser? There is likely malware still onboard, that is why I am trying to get combofix run. The situation is that the computer was in poor shape and there was much to do.

6. Post error/message you get when you try to run it. Have you run chkdsk on this computer recently?
http://support.microsoft.com/kb/315265

Besides running combofix, please also update the diagnostic at PCPitStop and post the link.

Thanks
 
Combofix Log:

ComboFix 09-07-25.08 - Tyler W 07/26/2009 16:58.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.191 [GMT -5:00]
Running from: c:\documents and settings\Tyler W\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\data
c:\data\IluPak.exe
c:\program files\QUAD Utilities
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\recycler\NPROTECT
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\Installer\11bf05e.msi
c:\windows\Installer\17c9e6f.msi
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\UAClwhosvdkturrwdpap.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\UACdnixfujbohoqombij.dll
c:\windows\system32\UAChsrfvkkemqpwltusx.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACpqdqkyxmpkqqrwuig.dll
c:\windows\system32\UACqhttlbvnvnfgqwosf.log
c:\windows\system32\UACqqaorduhewxdqsgkg.dll
c:\windows\system32\UACrqupbimryllxmixyb.log
c:\windows\system32\UACvylxymdwdwxfclyeo.log
c:\windows\system32\UACwcdoyfnxjlbbdxxna.dll
c:\windows\system32\UACwunrbutejftbldlya.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_NPF
-------\Legacy_SVCPROC
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.

2009-07-26 21:57 . 2009-07-26 22:08 237600 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-26 21:57 . 2009-07-26 22:07 2848 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-26 21:05 . 2009-07-26 21:05 -------- d-----w- c:\windows\VirtualEar
2009-07-26 21:05 . 2003-08-19 23:36 65536 ----a-w- c:\windows\system32\Audio3d.dll
2009-07-26 21:05 . 2001-10-04 19:50 991232 ----a-w- c:\windows\system32\virtear.dll
2009-07-26 21:05 . 2009-07-26 21:05 -------- d-----w- c:\program files\Analog Devices
2009-07-26 21:05 . 2004-11-19 15:00 49152 ----a-w- c:\windows\system32\DSndUp.exe
2009-07-26 21:05 . 2002-04-17 19:05 45056 ----a-w- c:\windows\system32\CleanUp.exe
2009-07-26 21:03 . 2004-10-05 21:10 23040 ----a-w- c:\windows\system32\PostProc.dll
2009-07-26 21:03 . 2004-09-23 12:55 311296 ----a-w- c:\windows\system32\Edcrypt.dll
2009-07-26 21:03 . 2004-09-17 14:02 732928 ----a-w- c:\windows\system32\drivers\senfilt.sys
2009-07-26 21:03 . 2001-09-19 17:47 765952 ----a-w- c:\windows\system\crlds3d.dll
2009-07-26 19:30 . 2009-07-26 20:39 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-07-26 19:30 . 2009-07-26 20:39 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ParetoLogic
2009-07-25 03:44 . 2009-07-25 03:44 -------- d-----w- c:\documents and settings\Tyler W\Application Data\IObit
2009-07-25 03:44 . 2009-07-25 03:44 -------- d-----w- c:\program files\IObit
2009-07-24 21:04 . 2009-07-24 21:04 -------- d-----w- c:\documents and settings\Tyler W\Application Data\True Sword
2009-07-24 16:32 . 2009-07-24 16:32 -------- d-----w- c:\documents and settings\Tyler W\Application Data\Malwarebytes
2009-07-24 16:24 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 16:24 . 2009-07-24 17:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-24 16:24 . 2009-07-24 16:24 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-24 16:24 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-24 15:12 . 2009-07-24 15:12 -------- d-----w- c:\program files\ERUNT
2009-07-24 06:19 . 2009-07-24 06:19 -------- d-----w- c:\program files\Common Files\xing shared
2009-07-24 06:14 . 2009-07-24 06:14 390664 ----a-w- c:\documents and settings\Tyler W\Application Data\Real\RealPlayer\setup\AU_setup.exe
2009-07-24 05:58 . 2009-07-24 05:58 -------- d-----w- c:\documents and settings\Tyler W\Application Data\vlc
2009-07-24 04:42 . 2009-07-24 04:42 -------- d-----w- c:\program files\iPod
2009-07-24 04:41 . 2009-07-24 04:42 -------- d-----w- c:\program files\iTunes
2009-07-24 04:41 . 2009-07-24 04:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-24 03:48 . 2009-07-24 03:48 -------- d-----w- c:\program files\Secunia
2009-07-22 22:09 . 2009-07-22 22:10 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-22 04:34 . 2009-07-22 04:34 -------- d-----w- c:\program files\Trend Micro
2009-07-22 04:05 . 2009-07-26 21:49 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-22 04:05 . 2009-07-25 21:26 -------- d-----w- c:\program files\SpywareBlaster
2009-07-22 03:25 . 2009-07-24 20:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-22 02:15 . 2004-03-22 17:24 4272 ----a-r- c:\windows\system32\drivers\bvrp_pci.sys
2009-07-22 00:35 . 2009-07-22 00:35 -------- d-----w- C:\$WIN_NT$.~BT
2009-07-19 22:36 . 2009-07-19 22:36 -------- d-----w- c:\documents and settings\Tyler W\Application Data\RegistryPC
2009-07-19 22:36 . 2009-07-22 05:09 -------- d-----w- c:\program files\RegistryPC
2009-07-15 17:40 . 2008-05-30 19:40 29712 ----a-w- c:\windows\system32\VCFCHK.exe
2009-07-15 17:40 . 2008-05-30 19:40 268944 ----a-w- c:\windows\system32\drivers\VCFFltr.SYS
2009-07-15 07:13 . 2009-07-15 07:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-02 03:13 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 22:06 . 2009-07-26 21:57 3788 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-26 22:06 . 2009-07-26 21:57 1292 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-26 22:06 . 2005-02-06 21:18 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000003-00000000-00000000-00001102-00000004-20061102}.dat
2009-07-26 22:06 . 2005-02-06 21:18 384 ----a-w- c:\windows\system32\DVCState-{00000003-00000000-00000000-00001102-00000004-20061102}.dat
2009-07-26 21:05 . 2005-02-06 21:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-24 17:22 . 2006-03-15 20:53 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-24 06:18 . 2003-03-19 02:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-24 05:03 . 2008-03-15 12:07 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint
2009-07-24 05:00 . 2005-02-06 21:17 -------- d-----w- c:\program files\Java
2009-07-24 04:42 . 2007-10-05 19:35 -------- d-----w- c:\program files\Common Files\Apple
2009-07-24 04:41 . 2005-12-09 02:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple Computer
2009-07-24 04:27 . 2005-02-15 20:07 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-24 04:04 . 2006-04-17 13:53 -------- d-----w- c:\program files\QuickTime
2009-07-23 23:09 . 2005-02-23 06:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-23 23:07 . 2005-02-23 06:34 -------- d-----w- c:\program files\Symantec
2009-07-22 22:11 . 2005-02-27 10:01 -------- d-----w- c:\program files\DivX
2009-07-21 23:14 . 2005-02-06 21:20 -------- d-----w- c:\program files\CyberLink
2009-07-15 17:40 . 2009-07-15 17:40 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_VCFFltr_01005.Wdf
2009-07-15 17:40 . 2009-07-15 17:40 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-13 03:30 . 2008-06-16 16:14 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-25 04:06 . 2005-03-19 07:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-22 21:56 . 2008-06-16 16:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-17 12:20 . 2009-06-17 12:20 12648 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2009-06-16 14:36 . 2004-08-04 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-13 12:50 . 2009-06-12 01:29 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG Security Toolbar
2009-06-12 01:29 . 2009-06-12 01:29 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-10 16:16 . 2009-06-10 16:16 152576 ----a-w- c:\documents and settings\Tyler W\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-07 03:54 . 2009-06-07 03:54 -------- d-----w- c:\documents and settings\Tyler W\Application Data\aAvgApi
2009-06-03 19:09 . 2004-08-04 11:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-28 02:30 . 2009-04-02 00:58 -------- d-----w- c:\program files\GameTap Web Player
2009-05-26 15:12 . 2008-06-16 16:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-26 15:11 . 2008-06-16 16:14 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-21 16:33 . 2008-11-26 16:11 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-13 05:15 . 2004-08-04 11:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 11:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 21:02 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-01-17 02:13 . 2009-01-17 02:13 64061 -c--a-w- c:\program files\AUG2007_d3dx9_35_x64.cab
2008-10-27 16:37 . 2008-10-27 16:37 696881 -c--a-w- c:\program files\APR2007_d3dx10_33_x86.cab
2008-10-27 16:37 . 2008-10-27 16:37 196782 -c--a-w- c:\program files\APR2007_XACT_x64.cab
2008-10-27 16:37 . 2008-10-27 16:37 183919 ----a-w- c:\program files\AUG2006_XACT_x64.cab
2008-10-27 16:37 . 2008-10-27 16:37 180149 -c--a-w- c:\program files\Apr2006_XACT_x64.cab
2008-10-27 16:37 . 2008-10-27 16:37 152241 -c--a-w- c:\program files\APR2007_XACT_x86.cab
2008-10-27 16:37 . 2008-10-27 16:37 139033 -c--a-w- c:\program files\OCT2006_XACT_x86.cab
2008-10-27 16:37 . 2008-10-27 16:37 138251 -c--a-w- c:\program files\AUG2006_XACT_x86.cab
2008-10-27 16:37 . 2008-10-27 16:37 134119 -c--a-w- c:\program files\Apr2006_XACT_x86.cab
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 15:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-24 198160]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2004-03-11 28672]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2008-10-07 1630208]

c:\documents and settings\Tyler W\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-6-24 803176]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-2-6 24576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-26 15:12 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windows SteadyState]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1133074693\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1133074693\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\GameTap\\bin\\Release\\gametap.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\GameTap Web Player\\bin\\release\\GameTapPlayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [6/16/2008 11:14 AM 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [6/16/2008 11:14 AM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 5:24 PM 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 5:24 PM 298776]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2/25/2005 12:53 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2/25/2005 12:53 AM 3904]
R3 IPN2120;Wireless-B PCI Adapter Driver;c:\windows\SYSTEM32\DRIVERS\LSIPNDS.sys [5/8/2009 2:47 PM 96256]
R3 PSI;PSI;c:\windows\SYSTEM32\DRIVERS\psi_mf.sys [6/17/2009 7:20 AM 12648]
S0 adwarealert;adwarealert; [x]
S2 QALQYEVI;QALQYEVI; [x]
S2 ssmfwt;ssmfwt;c:\windows\system32\drivers\eenjh.sys --> c:\windows\system32\drivers\eenjh.sys [?]
S3 gtermddo;gtermddo; [x]
S3 NVIAIDE;NVIAIDE; [x]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://vermillion.mchsionline.net/community/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 17:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-405351864-486159836-3339079740-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\’e*’B*’ ’N*’9 ’x*’9 ]
"Order"=hex:08,00,00,00,02,00,00,00,a8,00,00,00,01,00,00,00,01,00,00,00,9c,00,
00,00,00,00,00,00,8e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7c,00,31,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2116)
c:\windows\system32\WININET.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\snmp.exe
c:\windows\SYSTEM32\UAService7.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-07-26 17:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-26 22:14

Pre-Run: 42,206,846,976 bytes free
Post-Run: 42,557,919,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[Boot Loader]
timeout=2
Default=c:\$win_nt$.~bt\BOOTSECT.DAT
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Setup"
[spybotsd]
timeout.old=5

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
298 --- E O F --- 2009-07-23 22:25


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:41 PM, on 7/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://trueblaze.proboards.com/index.cgi?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} (FixItClient Class) - https://fixit.support.microsoft.com/ActiveX/FixItClient.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246406993921
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} (GameTap Web Updater) - http://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 9494 bytes
 
Thanks a nasty rootkit infection combofix removed, you need to keep this computer offline unless you are troubleshooting the problems until we are sure you are clean. This junk can download more.

TeaTimer is running, please follow these directions to diable it and leave it disabled until we finish.
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.

Post the link to the fresh diagnostic at PCPitStop next please.

Thanks
 
here you go: http://www.pcpitstop.com/betapit/sec.asp?conid=22439574


I've tried looking up up dates for Creative SB Audigy 2 ZS (WDM) but I can't find one that doesn't require me to download an update scanner that scans for free but requires payment to use.

Also note: I ran the malware program and found no trace of the file we were trying to get rid of. My windows defrag is working, spybot is working, and it apears I'm no longer being redirected during google and yahoo searches (though this is still too early to tell if it's working for sure). I do notice that my comp seems to be running a little slower since the combofix scan, although I'm guessing that's normal.

Anywho, I'll be sure to stay off line unless checking this sight or running updates or scans. Thanks for everything so far.
 
This information will help with the first item:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

I will allow you to resolve the other issue, you made good progress.

Have a look at this information, you do have programs I doubt you need running all of the time. Remember, if you turn off a program in MSConfig (System Configuration Utility) It can always be start in All Programs if needed. Make sure not to turn of security programs.
http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.malwareremoval.com/tutorials/runningslowly.php
http://www.bleepingcomputer.com/forums/index.php?showtopic=87058&st=0&p=487112&#entry487112
http://www.microsoft.com/atwork/getstarted/speed.mspx

Let's proceed like this and see what happens.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

(optional if it was just clean)
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, keep it updated and run it once a month or so)

Update AVG8 and scan the system, to be sure it is running right and scanning clean.
Some good AVG information:
FAQ: http://www.avg.com/faq
AVG Free Forum: http://freeforum.avg.com/

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

How hard are your passwords to crack?
http://www.microsoft.com/protect/yourself/password/checker.mspx

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx
 
Welp, ADV and Malware say my system's clean. Seems like all I've gatta do now is figure out how to turn off those programs that are eatin' up my eccess RAM. It's probably more a systems problem than a malware, but last night when I updated my drivers, and when I reset for some reason my computer was set to color quality was 4bit and I couldn't increase it. So I did a systems restore I had made before updating the drivers and it reset it back to the way it was suposed to be. However, I now notice I once again have seven instances of svhost.exe running again instead of three and pc pitstop is showing I'm back up to 83% of my RAM being used (it also shows I need to update two of my drivers but when I try to they say there already updated).

But anyway like I said that seems to be more of a systems problem that I can try to work out on my own or find someone who knows more about systems than I do. Thank you pskelley, your a real life saver on this one. I don't have any spare cash right now but when I do I'll be sure to make a donation, after all I want you guys to be around the next time I download a virus now don't I :D: .

Laters
 
Status
Not open for further replies.
Back
Top