My Laptop is Infected with Spyware

Logs look ok. Still not seeing any malware. Looks like what avast found was from a web page. that means its trying to do its job. Web Shield I think they call it?
Once last download. There is a guide you can read first before using it. Read through the guide then apply the directions on your own machine. Post the log in your reply.
Guide to using Combofix
 
Combofix Log

Hi Shelf life,

Please see Combofix log below, many thanks:



ComboFix 13-02-26.01 - Jimbub 28/02/2013 17:43:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2775 [GMT 0:00]
Running from: c:\documents and settings\Jimbub\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: eTrust Antivirus *Disabled/Updated* {33EA71EA-56CF-40B5-A06B-BD3A27397C33}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\QSLLPSVCShare
c:\windows\system32\SET7B.tmp
c:\windows\system32\SET7D.tmp
c:\windows\system32\SET89.tmp
c:\windows\system32\test
c:\windows\system32\Thumbs.db
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((( Files Created from 2013-01-28 to 2013-02-28 )))))))))))))))))))))))))))))))
.
.
2013-02-24 18:54 . 2013-02-24 18:54 -------- d-----w- c:\documents and settings\Jimbub\Local Settings\Application Data\RadioSure
2013-02-20 23:03 . 2013-02-20 23:03 40960 ----a-r- c:\documents and settings\Jimbub\Application Data\Microsoft\Installer\{01ED1AFB-D352-413B-8415-5DC5F1D23983}\NewShortcut2_01ED1AFBD352413B84155DC5F1D23983.exe
2013-02-20 23:03 . 2013-02-20 23:03 40960 ----a-r- c:\documents and settings\Jimbub\Application Data\Microsoft\Installer\{01ED1AFB-D352-413B-8415-5DC5F1D23983}\NewShortcut1_01ED1AFBD352413B84155DC5F1D23983.exe
2013-02-20 23:03 . 2013-02-20 23:03 40960 ----a-r- c:\documents and settings\Jimbub\Application Data\Microsoft\Installer\{01ED1AFB-D352-413B-8415-5DC5F1D23983}\ARPPRODUCTICON.exe
2013-02-20 22:44 . 2013-02-20 22:44 -------- d-----w- c:\windows\system32\wbem\Repository
2013-02-20 22:37 . 2013-02-20 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SolarWinds
2013-02-20 22:36 . 2013-02-20 22:36 -------- d-----w- c:\documents and settings\Jimbub\Application Data\SolarWinds
2013-02-20 22:18 . 2013-02-20 22:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\COMODO(2)
2013-02-20 21:55 . 2013-02-20 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\COMODO
2013-02-20 21:55 . 2013-02-20 22:42 -------- d-----w- c:\program files\Common Files\Comodo
2013-02-20 21:53 . 2013-02-20 22:42 -------- d-----w- c:\documents and settings\Jimbub\Local Settings\Application Data\COMODO
2013-02-20 20:03 . 2013-02-20 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERSetup
2013-02-20 19:02 . 2013-02-20 19:02 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-02-20 19:01 . 2012-12-14 16:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-03 18:54 . 2013-02-03 18:54 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\IObit
2013-02-03 18:22 . 2013-02-03 18:22 -------- d-----w- c:\windows\system32\winrm
2013-02-03 18:22 . 2013-02-03 18:22 -------- d-----w- c:\windows\system32\GroupPolicy
2013-02-03 18:22 . 2013-02-03 18:22 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2013-02-03 17:42 . 2013-02-03 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
2013-02-03 17:42 . 2013-02-03 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2013-02-03 17:42 . 2013-02-03 17:42 -------- d-----w- c:\documents and settings\Jimbub\Application Data\IObit
2013-02-03 17:42 . 2013-02-03 17:42 -------- d-----w- c:\program files\IObit
2013-01-31 16:27 . 2013-01-31 16:27 -------- d-----w- c:\documents and settings\Jimbub\Local Settings\Application Data\PCHealth
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-28 17:33 . 2012-11-15 16:00 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-28 17:33 . 2012-11-15 16:00 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-26 03:55 . 2004-08-11 16:00 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-07 01:19 . 2004-08-11 16:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2004-08-03 21:59 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2004-08-11 16:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2004-08-11 16:00 1292288 ----a-w- c:\windows\system32\quartz.dll
2013-01-02 06:49 . 2004-08-11 16:00 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2012-12-26 20:16 . 2004-08-11 16:00 916480 ----a-w- c:\windows\system32\wininet.dll
2012-12-26 20:16 . 2004-08-11 16:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-12-26 20:16 . 2004-08-11 16:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-12-24 06:40 . 2004-08-11 16:00 385024 ----a-w- c:\windows\system32\html.iec
2012-12-16 12:23 . 2004-08-11 16:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2002-04-03 15:01 . 2007-03-08 10:41 286720 ------w- c:\program files\internet explorer\plugins\PanoViewer.dll
1999-04-30 16:00 . 2007-03-08 10:41 98304 ------w- c:\program files\internet explorer\plugins\UPjpeg.dll
2013-01-31 16:39 . 2013-01-31 16:39 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Advanced SystemCare 6"="c:\program files\IObit\Advanced SystemCare 6\ASCTray.exe" [2013-01-15 491840]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"NVHotkey"="nvHotkey.dll" [2006-01-19 73728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"nwiz"="nwiz.exe" [2006-01-19 1519616]
"AVSFirewall"="c:\program files\AVS4YOU\AVSFirewall\AVSFirewall.exe" [2010-09-20 6159432]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-30 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-30 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-12-24 295072]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA&inst=NwA3AC0AMQA1ADQAMwA0ADYANgAzADQANAAtAEYAUAA5ADIAKwA1AC0ARABEAFQAKwAwAC0ARgBMACsAOQAtAFMAVAA5ADAARgBBAFAAUAArADEA&prod=90&ver=9.0.914" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [04/01/2013 14:50 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [04/01/2013 14:50 361032]
R1 AVSRegMonDrv;AVSRegMonDrv;c:\program files\AVS4YOU\AVSFirewall\AVSRegMonDrv.sys [15/11/2012 15:51 17992]
R1 AVSTDIFilterDrv;AVSTDIFilterDrv;c:\program files\AVS4YOU\AVSFirewall\AVSTDIFilterDrv.sys [15/11/2012 15:51 24648]
R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\IObit\Advanced SystemCare 6\ASCService.exe [03/02/2013 17:42 465216]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/01/2013 14:50 21256]
R2 AVSFirewallService;AVSFirewall Service;c:\program files\AVS4YOU\AVSFirewall\AVSFirewallService.exe [15/11/2012 15:51 80456]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [29/11/2012 20:31 38608]
R3 AVSNDISIMMP;AVSNDISIMMP;c:\windows\system32\drivers\AVSNDISIMDriver.sys [15/11/2012 15:51 23624]
S3 AVSNDISIM;AVSNDISIM Service;c:\windows\system32\drivers\AVSNDISIMDriver.sys [15/11/2012 15:51 23624]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [20/02/2013 19:02 40776]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [06/11/2007 20:22 34064]
S3 WinRing0_1_2_0;WinRing0_1_2_0; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-15 17:33]
.
2013-02-28 c:\windows\Tasks\ASC6_PerformanceMonitor.job
- c:\program files\IObit\Advanced SystemCare 6\Monitor.exe [2013-02-03 18:47]
.
2013-02-28 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-01-04 22:50]
.
2013-02-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
2013-02-28 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1330721021-1131774879-2568000522-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 15:30]
.
2013-02-21 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1330721021-1131774879-2568000522-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-11-30 15:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Jimbub\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Jimbub\Application Data\Mozilla\Firefox\Profiles\kij5gm0g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4c3c2c17&v=6.103.018.001&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
FF - ExtSQL: 2013-01-04 14:50; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
FF - ExtSQL: !HIDDEN! 2010-07-15 11:56; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: content.notify.ontimer - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.switch.threshold - 750000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-U-Storage Service - c:\docume~1\Jimbub~1\LOCALS~1\Temp\U-Storage.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-28 17:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\`*& 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\Ð* 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
Completion time: 2013-02-28 17:50:14
ComboFix-quarantined-files.txt 2013-02-28 17:50
.
Pre-Run: 54,462,734,336 bytes free
Post-Run: 54,620,778,496 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 4A40D9179F5AFB8CE08F68BDCDA5BB5A
 
Not a malware issue. Cant remove what I dont see or what tools dont detect or remove themselves.Theres nothing else left to run. Back in Jan. I said not everything is caused by malware. There are general computer forums here, for nonmalware issues. I also think replacing a mainboard without a reformat reinstall is just asking for potential problems, but thats just my two cents. Ive built many desktops but have never just replaced a mainboard by itself.

If you think you still have malware then you can visit the Avast forums, I think you said it all started after Avast picked up something. You could also reformat/reinstall Windows.

You can remove combofix like this:

start>run and type in:
combofix /uninstall
click ok or enter
note the space after the x and before the /

you can delete the aswmbr and tdsskiller icon from your desktop as well as the logs.
 
Thank You For Your Help!

Hi Shelf life,

Well, the problems remain the same as before I replaced the motherboard! The one thing I was most concerned about was not being able to install anti-spyware properly. I have not experienced problems replacing these type motherboards before.

Thank you very much for your help investigating the problems. I have learned more about spyware as a result

I think I will take your advice, wipe the hard drive and re-install Windows.

Kind Regards

Jimbub
 
You must log in or register to reply here.
Back
Top