slow moving HP - Page 2

lost930 · 24-Jan-2010, 11:49 AM **#16**

ComboFix 10-01-23.06 - Jammie Foxx 01/24/2010 9:18.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.192 [GMT -8:00]
Running from: c:\documents and settings\Jammie Foxx\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DelUS.bat
c:\documents and settings\All Users\Application Data\MSN6
c:\documents and settings\All Users\Application Data\MSN6\au.ini
c:\documents and settings\Jammie Foxx\Application Data\MSN6
c:\documents and settings\Jammie Foxx\Application Data\MSN6\msndata.dat
c:\documents and settings\Jammie Foxx\Application Data\MSN6\msndata001.dat
c:\documents and settings\Jammie Foxx\Application Data\MSN6\msndata002.dat
c:\program files\\setup.exe
c:\windows\AegisP.inf
c:\windows\EventSystem.log
c:\windows\system32\{ba131a43-8cc5-83f5-32cd-9b1eb8dc7443}.dll-uninst.exe
c:\windows\system32\Thumbs.db
.
((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.
2010-01-24 01:02 . 2010-01-24 01:02 -------- d-----w- c:\program files\Trend Micro
2010-01-23 21:24 . 2010-01-23 21:24 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-01-23 21:13 . 2010-01-23 21:13 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-23 19:05 . 2010-01-23 21:28 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-23 19:05 . 2010-01-23 19:05 -------- d-----w- c:\documents and settings\Jammie Foxx\Application Data\PC Tools
2010-01-23 19:04 . 2010-01-23 21:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-24 04:52 . 2008-05-10 20:22 -------- d-----w- c:\program files\Common Files\Apple
2010-01-24 04:52 . 2006-01-01 23:00 -------- d-----w- c:\program files\iPod
2010-01-23 12:54 . 2008-08-30 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-01-23 12:53 . 2008-08-30 05:10 -------- d-----w- c:\program files\Kodak
2010-01-23 04:14 . 2005-04-20 20:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-21 21:55 . 2008-04-30 17:15 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-01-21 21:55 . 2008-04-30 17:15 21361 ----a-w- c:\windows\AegisP.sys
2009-12-21 19:14 . 2010-01-21 23:07 916480 ----a-w- c:\windows\system32\SET293.tmp
2009-12-21 19:14 . 2010-01-21 23:07 1208832 ----a-w- c:\windows\system32\SET294.tmp
2009-11-21 16:36 . 2004-08-12 13:55 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2006-05-17 06:20 . 2006-05-17 06:20 17 ----a-w- c:\program files\d.bat
2005-09-10 02:55 . 2006-08-28 00:54 7155864 ----a-w- c:\program files\NGhost10.msi
2005-09-10 02:55 . 2006-08-28 00:54 35 ----a-w- c:\program files\SCSSDist.ini
2005-09-10 02:55 . 2006-08-28 00:54 37766164 ----a-w- c:\program files\Data1.cab
2008-05-30 02:44 . 2008-05-26 16:04 6064160 --sha-w- c:\windows\system32\drivers\fidbox.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Psoukn"="c:\windows\s?curity\m?hta.exe" [?]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-04-25 339968]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-20 149024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 335872]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-03-04 999424]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-03-04 1101824]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-01-23 2043160]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
c:\documents and settings\Jammie Foxx\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-6-23 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Wireless Configuration Utility HW.15.lnk - c:\program files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe [2007-1-30 577536]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\program files\ComPlus Applications\kyzeqe.html
FriendlyName=
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= c:\program files\Online Services\howynyka.html
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-03 04:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/1/2008 12:52 PM 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/1/2008 12:52 PM 297752]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 8:57 AM 13532]
S1 sisagpp;sisagpp;c:\windows\system32\drivers\sisagpp.sys --> c:\windows\system32\drivers\sisagpp.sys [?]
S2 TDKUSBDR;TDK MOJO USB driver;c:\windows\system32\drivers\TDKUSBDR.sys [8/15/2006 4:22 AM 11005]
S3 ALI5261;ALi Based Ethernet NT Driver;c:\windows\system32\drivers\ALI5261.SYS [4/29/2008 2:34 PM 27678]
S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [4/18/2008 9:00 PM 281600]
S3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\drivers\cccp106.sys [6/9/2008 3:53 PM 227200]
S3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\drivers\EL556ND5.sys [4/18/2008 9:01 PM 55999]
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [4/30/2008 8:43 AM 802683]
S3 Ptserli;PCTEL Serial Device Driver for INTEL;c:\windows\system32\drivers\ptserli.sys [4/30/2008 8:40 AM 128286]
S3 sgiul50;sgiul50;c:\windows\system32\drivers\sgiulnt5.sys [4/17/2007 6:03 PM 98080]
S3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\drivers\WDHAALBA.sys [4/18/2008 9:00 PM 701386]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - SJYPKT
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
AddRemove-CNXT_MODEM_PCI_VEN_10B9&DEV_5457&SUBSYS_0850103C - c:\program files\CONEXANT\CNXT_MODEM_PCI_VEN_10B9&DEV_5457&SUBSYS_0850103C\HXFSETUP.EX E
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\UninstFl.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-24 09:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\netprovcredman.dll
- - - - - - - > 'explorer.exe'(3164)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\pctspk.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\System32\wltrysvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\System32\bcmwltry.exe
.
**************************************************************************
.
Completion time: 2010-01-24 09:42:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-24 17:42
Pre-Run: 18,820,341,760 bytes free
Post-Run: 19,048,169,472 bytes free
- - End Of File - - F65DB2A307B08A3DE96E48F29F3F75E6

**dvk01** · 24-Jan-2010, 03:09 PM **#17**

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)
Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished
Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

This will create a zip file inside C:\QooBox\quarantine named something like [38]-Submit_2008-01-17@17.50.zip

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38]-Submit_2008-01-17@17.50.zip

or to
http://www.bleepingcomputer.com/subm...php?channel=38

lost930 · 24-Jan-2010, 05:22 PM **#18**

i seem to be having a problem disableing my AVG i disabled the resident sheild as advised but its not disableing anything else?

lost930 · 24-Jan-2010, 06:44 PM **#19**

dont you think you should have warned me that it was going to delete everything off my computer so that i could have aleast tried to create back ups!!!! thank you now i have nothing on my laptop and no means of getting them all back.

lost930 · 24-Jan-2010, 07:02 PM **#20**

http://thespykiller.co.uk/index.php/....html#msg36589

**dvk01** · 25-Jan-2010, 04:21 AM **#21**

OK calm down, you haven't lost everything

there has been a bug with combofix, I have just found out about it and there is a fix

Follow advice here
http://www.techsupportforum.com/secu...ml#post2559729

Once that has been done post back

lost930 · 26-Jan-2010, 12:00 AM **#22**

greetings sir i have done as you have asked

**dvk01** · 26-Jan-2010, 11:19 AM **#23**

how is the computer now

lost930 · 26-Jan-2010, 09:00 PM **#24**

it seems to be ok should i run another scan?

**dvk01** · 27-Jan-2010, 04:25 AM **#25**

yes make sure you delete existing combofix from desktop

download an updated copy from same location & run it

lets see what still needs to be done

lost930 · 28-Jan-2010, 12:27 AM **#26**

ComboFix 10-01-27.03 - Jammie Foxx 01/27/2010 22:03:07.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.108 [GMT -8:00]
Running from: c:\documents and settings\Jammie Foxx\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Jammie Foxx\Application Data\SpeedRunner
c:\documents and settings\Jammie Foxx\Application Data\SpeedRunner\config.cfg
c:\documents and settings\Jammie Foxx\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Jammie Foxx\Start Menu\Programs\Startup\Deewoo.lnk
c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\documents and settings\NetworkService\Application Data\NetMon
c:\documents and settings\NetworkService\Application Data\NetMon\domains.txt
c:\documents and settings\NetworkService\Application Data\NetMon\log.txt
.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-28 )))))))))))))))))))))))))))))))
.
2010-01-27 03:39 . 2010-01-27 03:41 -------- d-----w- c:\program files\iTunes
2010-01-27 03:37 . 2010-01-27 03:38 -------- d-----w- c:\program files\QuickTime
2010-01-26 05:35 . 2010-01-26 05:35 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\InterVideo
2010-01-26 05:35 . 2010-01-26 05:35 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AOL
2010-01-26 05:35 . 2010-01-26 05:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2010-01-26 05:35 . 2010-01-26 05:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2010-01-26 05:35 . 2010-01-26 05:35 -------- d-----w- c:\documents and settings\Jammie Foxx\UserData
2010-01-26 05:10 . 2010-01-26 05:10 -------- d-----w- c:\documents and settings\Jammie Foxx\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150010}
2010-01-26 05:10 . 2010-01-26 05:10 -------- d-----w- c:\documents and settings\Jammie Foxx\Local Settings\Application Data\Qtrax1
2010-01-26 05:08 . 2010-01-26 05:08 -------- d-----w- c:\documents and settings\Jammie Foxx\Local Settings\Application Data\ApplicationHistory
2010-01-26 05:08 . 2010-01-26 05:08 -------- d-----w- c:\documents and settings\Jammie Foxx\Local Settings\Application Data\Apple Computer
2010-01-26 05:08 . 2010-01-26 05:08 -------- d-----w- c:\documents and settings\Jammie Foxx\Local Settings\Application Data\Apple
2010-01-26 05:08 . 2006-08-28 03:05 134 ----a-w- c:\documents and settings\Jammie Foxx\Local Settings\Application Data\fusioncache.dat
2010-01-26 05:08 . 2010-01-26 05:08 -------- d-----w- c:\documents and settings\Jammie Foxx\IECompatCache
2010-01-26 05:06 . 2010-01-26 05:06 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Buensoft German
2010-01-26 05:05 . 2010-01-26 11:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-01-26 05:05 . 2010-01-26 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2010-01-26 05:05 . 2010-01-26 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2010-01-26 05:05 . 2010-01-26 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2010-01-26 05:05 . 2010-01-26 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2010-01-26 05:05 . 2010-01-26 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2010-01-26 05:05 . 2010-01-26 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-26 05:05 . 2010-01-26 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-01-26 05:05 . 2010-01-26 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-01-26 05:05 . 2010-01-26 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-01-26 05:05 . 2010-01-26 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-01-26 05:05 . 2010-01-26 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-01-26 04:56 . 2010-01-26 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-26 04:56 . 2010-01-26 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-26 04:56 . 2010-01-26 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-01-26 04:56 . 2005-04-21 01:51 105 ----a-w- c:\documents and settings\All Users\B1.bat
2010-01-26 04:55 . 2010-01-26 04:55 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
2010-01-26 04:55 . 2010-01-26 04:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150010}
2010-01-26 04:55 . 2010-01-26 04:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2010-01-26 04:55 . 2010-01-26 04:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2010-01-26 04:55 . 2010-01-26 04:55 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2010-01-26 04:55 . 2010-01-26 04:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\InterVideo
2010-01-25 03:00 . 2009-10-10 05:20 49408 ----a-w- c:\documents and settings\Jammie Foxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-25 00:42 . 2010-01-26 05:07 -------- d-sh--w- c:\documents and settings\Jammie Foxx\PrivacIE
2010-01-25 00:29 . 2010-01-25 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-01-25 00:29 . 2010-01-25 00:14 -------- d-----w- c:\documents and settings\Jammie Foxx\Local Settings\Application Data\ArcSoft
2010-01-25 00:28 . 2010-01-25 00:14 -------- d-----w- c:\documents and settings\Jammie Foxx\Local Settings\Application Data\Google
2010-01-25 00:28 . 2010-01-26 05:07 -------- d-----w- c:\documents and settings\Jammie Foxx\Application Data\ArcSoft
2010-01-25 00:28 . 2010-01-26 05:08 -------- d-sh--w- c:\documents and settings\Jammie Foxx\IETldCache
2010-01-25 00:26 . 2010-01-25 00:21 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intel
2010-01-25 00:26 . 2010-01-26 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-01-25 00:25 . 2010-01-26 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-01-25 00:22 . 2010-01-25 00:12 -------- d-----w- c:\documents and settings\Jammie Foxx\Application Data\Intel
2010-01-25 00:22 . 2010-01-25 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2010-01-24 01:02 . 2010-01-24 01:02 -------- d-----w- c:\program files\Trend Micro
2010-01-23 19:05 . 2010-01-23 21:28 -------- d-----w- c:\program files\Common Files\PC Tools
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 03:40 . 2006-01-01 23:00 -------- d-----w- c:\program files\iPod
2010-01-27 03:40 . 2008-05-10 20:22 -------- d-----w- c:\program files\Common Files\Apple
2010-01-26 05:06 . 2010-01-26 05:06 -------- d-----w- c:\documents and settings\Guest\Application Data\Yahoo!
2010-01-23 12:53 . 2008-08-30 05:10 -------- d-----w- c:\program files\Kodak
2010-01-23 04:14 . 2005-04-20 20:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-21 21:55 . 2008-04-30 17:15 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-01-21 21:55 . 2008-04-30 17:15 21361 ----a-w- c:\windows\AegisP.sys
2009-12-21 19:14 . 2010-01-21 23:07 916480 ----a-w- c:\windows\system32\SET293.tmp
2009-12-21 19:14 . 2010-01-21 23:07 1208832 ----a-w- c:\windows\system32\SET294.tmp
2009-12-21 19:14 . 2004-08-12 14:09 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 16:36 . 2004-08-12 13:55 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-13 01:07 . 2009-11-13 01:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2005-09-10 02:55 . 2006-08-28 00:54 7155864 ----a-w- c:\program files\NGhost10.msi
2005-09-10 02:55 . 2006-08-28 00:54 35 ----a-w- c:\program files\SCSSDist.ini
2005-09-10 02:55 . 2006-08-28 00:54 37766164 ----a-w- c:\program files\Data1.cab
2008-05-30 02:44 . 2008-05-26 16:04 6064160 --sha-w- c:\windows\system32\drivers\fidbox.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-04-25 339968]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-20 149024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 335872]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-03-04 999424]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-03-04 1101824]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-01-23 2043160]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
c:\documents and settings\Jammie Foxx\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-6-23 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Wireless Configuration Utility HW.15.lnk - c:\program files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe [2007-1-30 577536]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-03 04:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/1/2008 12:52 PM 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/1/2008 12:52 PM 297752]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 8:57 AM 13532]
S2 TDKUSBDR;TDK MOJO USB driver;c:\windows\system32\drivers\TDKUSBDR.sys [8/15/2006 4:22 AM 11005]
S3 ALI5261;ALi Based Ethernet NT Driver;c:\windows\system32\drivers\ALI5261.SYS [4/29/2008 2:34 PM 27678]
S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [4/18/2008 9:00 PM 281600]
S3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\drivers\cccp106.sys [6/9/2008 3:53 PM 227200]
S3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\drivers\EL556ND5.sys [4/18/2008 9:01 PM 55999]
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [4/30/2008 8:43 AM 802683]
S3 Ptserli;PCTEL Serial Device Driver for INTEL;c:\windows\system32\drivers\ptserli.sys [4/30/2008 8:40 AM 128286]
S3 sgiul50;sgiul50;c:\windows\system32\drivers\sgiulnt5.sys [4/17/2007 6:03 PM 98080]
S3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\drivers\WDHAALBA.sys [4/18/2008 9:00 PM 701386]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - IPOD_SERVICE
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-27 22:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\netprovcredman.dll
.
Completion time: 2010-01-27 22:24:08
ComboFix-quarantined-files.txt 2010-01-28 06:24
ComboFix2.txt 2010-01-25 00:38
ComboFix3.txt 2010-01-24 17:42
Pre-Run: 9,994,891,264 bytes free
Post-Run: 10,015,174,656 bytes free
- - End Of File - - 5DAC68E24DE813F69F87B0D684D45544

**dvk01** · 28-Jan-2010, 12:59 PM **#27**

looks ok but lets see what this finds

Please download Malwarebytes' Anti-Malware to your desktop
from HERE or HERE

Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please include this log in your next reply.

It might ask you to reboot to finish cleaning. Please do so. ( Press YES on the alert)
If you receive an (Error Loading xxxxxxxxxx .dll) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it continues on every boot

lost930 · 28-Jan-2010, 10:57 PM **#28**

Malwarebytes' Anti-Malware 1.44
Database version: 3654
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702
1/28/2010 6:44:39 PM
mbam-log-2010-01-28 (18-44-39).txt
Scan type: Quick Scan
Objects scanned: 136854
Time elapsed: 13 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\IrisMon (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\TDPer.exe (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32\kn3 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pnVes01 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\swTMP (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vb1 (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

**dvk01** · 29-Jan-2010, 05:55 AM **#29**

looks like it has cleared up the rest

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click START then RUN
* Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place

lost930 · 29-Jan-2010, 06:32 AM **#30**

there were some programs that the other guy had me download before they moved my thread, the malwarebytes was one of them, what do i need to do with those. and the combofix, once i download it do i need to re-intall it or remove it all together.

Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!