1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: I'm not really sure what's happening here, maybe malware?

Discussion in 'Virus & Other Malware Removal' started by occamsspork, Oct 9, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. occamsspork

    occamsspork Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    16
    Hi all. I have a strange problem. I run a dual-boot computer with Linux and WinXP, and while Linux always works, XP has been having some screwy issues with random lockups followed by a strange high pitched noise that lasts for a minute or so, then the entire system will lock up. I have also had a browser hijack happen once, redirecting me instantly to some site called stuff for girls full of slutty clothes and other garbage. I tried to run a scan with both ad-aware and Avira, but in both cases I got the same weird system hang mentioned above. I will edit this post with a HJT log in a few, but the last time this happened, The HJT log looked pretty clean, and I just reinstalled firefox and the problem went away. If anyone has any help, it would be greatly appreciated.
     
  2. occamsspork

    occamsspork Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    16
    Ok, here's the HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:52:37 AM, on 10/9/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    D:\WINDOWS\RTHDCPL.EXE
    D:\Program Files\COMODO\Firewall\cfp.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    D:\Program Files\COMODO\Firewall\cmdagent.exe
    D:\hjt\HiJackThis.exe
    D:\WINDOWS\system32\wuauclt.exe
    D:\WINDOWS\system32\wuauclt.exe

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKCU\..\Run: [AtiTrayTools] "D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{ABB807A7-825E-4573-B126-D7CA87A2DFA0}: NameServer = 24.25.5.148,24.25.5.147
    O20 - AppInit_DLLs: D:\WINDOWS\system32\guard32.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - D:\Program Files\COMODO\Firewall\cmdagent.exe

    I don't know what 017 is, but the rest of it looks alright.
     
  3. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    The O17 is Road Runner. Is that your ISP?
     
  4. occamsspork

    occamsspork Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    16
    Yes it is, I thought it might be because I set my IP to static the other day. I can't really see much in all the other stuff though.

    My bad for the misspelling, I was in a rush.

    I like your avatar. (y)
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    If your ISP suggests you do that it's ok. If not I will tell you it could create a problem for you down the road.

    You're spelling is not that bad! ;) I can show you a lot worse! :D
     
  6. occamsspork

    occamsspork Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    16
    Thanks for the vote of confidence!:D

    Anyway, on a whim the other day, I decided to try malwarebytes and NOD32 (not at the same time, of course) and they did find an infection in the windows that they removed, and now windows works again, but it is still somewhat sluggish, so I wonder if they got rid of the infections completely, but the HJT log shows nothing out of the ordinary, and I remember the things that MWB and NOD32 findiing not showing up at all. This tells me that HJT is of somewhat limited use in finding and removing malware and spyware, are their any other tools I could use that are more in depth? I'm even comfortable working from the command prompt, if need be.

    I don't think Road Runner has a problem with static Ip's, i set it back to dynamic anyway, that was a test of port forwarding with my router.
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    If you could tell me what Malwarebytes removed I could possibly give you another scan to run.
     
  8. occamsspork

    occamsspork Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    16
    I (stupidly) didn't save the logs and I uninstalled both MWB and NOD while in safe mode to prevent conflicts with avira. I think it was (something).command...something.exe, I only remember that once MWB found and deleted that file and whatever traces it could find, I booted back into windows and it worked, it just performed a little sluggish. It still does, that's what I'm trying to puzzle out now.

    What scans did you have in mind? I'm up for anything at this point.
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Visit this webpage for instructions for downloading and running ComboFix.

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
     
  10. occamsspork

    occamsspork Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    16
    Alright, I ran all that, here are the logs:

    COMBOFIX:

    ComboFix 08-10-14.01 - Occamsspork 2008-10-14 14:45:45.1 - NTFSx86
    Running from: D:\Documents and Settings\Occamsspork\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2008-09-14 to 2008-10-14 )))))))))))))))))))))))))))))))
    .

    2008-10-14 09:46 . 2008-10-14 09:57 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\dvdcss
    2008-10-13 05:26 . 2003-06-25 16:05 266,360 --a------ D:\WINDOWS\system32\TweakUI.exe
    2008-10-13 05:26 . 2002-06-21 15:09 160,217 --a------ D:\WINDOWS\system32\PowerToysLicense.rtf
    2008-10-12 06:47 . 2008-10-12 06:56 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\vlc
    2008-10-12 04:09 . 2008-10-12 04:09 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ESET
    2008-10-09 16:03 . 2008-10-09 16:03 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\Malwarebytes
    2008-10-09 16:01 . 2008-10-09 16:01 <DIR> d-------- D:\Program Files\Avira
    2008-10-09 16:01 . 2008-10-09 16:01 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Avira
    2008-10-09 13:20 . 2008-10-09 13:20 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-09 13:20 . 2008-10-09 13:20 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\Malwarebytes
    2008-10-09 13:15 . 2008-10-09 15:13 <DIR> d-------- D:\Documents and Settings\Administrator
    2008-10-07 06:06 . 2008-10-07 06:07 <DIR> d-------- D:\Program Files\DOSBox-0.72
    2008-10-01 02:05 . 2003-02-19 15:06 438,272 --a------ D:\WINDOWS\system32\cmcs21.ocx
    2008-10-01 02:05 . 2003-02-19 15:07 303,104 --a------ D:\WINDOWS\system32\cmcs21.dll
    2008-10-01 02:05 . 2004-02-08 19:55 180,132 --a------ D:\WINDOWS\system32\GDIPlus.tlb
    2008-10-01 01:43 . 2008-10-01 01:43 <DIR> d--h----- D:\WINDOWS\PIF
    2008-09-29 12:57 . 2008-09-29 13:34 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\LimeWire
    2008-09-29 12:56 . 2008-09-29 12:57 <DIR> d-------- D:\Program Files\LimeWire
    2008-09-29 12:38 . 2008-09-29 12:38 <DIR> d-------- D:\Program Files\CDBurnerXP Pro 3
    2008-09-29 12:04 . 2008-09-29 12:04 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\ImgBurn
    2008-09-29 12:02 . 2008-09-29 12:02 <DIR> d-------- D:\Program Files\ImgBurn
    2008-09-29 07:32 . 2003-03-02 17:44 7,552 --a------ D:\WINDOWS\system32\drivers\enodpl.sys
    2008-09-29 07:32 . 2003-04-19 00:32 4,736 --a------ D:\WINDOWS\system32\drivers\tandpl.sys
    2008-09-28 05:50 . 2008-10-13 19:05 <DIR> d-------- D:\hjt
    2008-09-27 12:38 . 2008-10-09 02:58 347 --a------ D:\WINDOWS\Warpath.ini
    2008-09-27 01:55 . 2008-09-27 02:04 536 --a------ D:\WINDOWS\eReg.dat
    2008-09-20 06:38 . 2008-09-20 06:43 <DIR> d--h----- D:\Program Files\InstallJammer Registry
    2008-09-15 04:10 . 2008-09-15 04:10 <DIR> d-------- D:\Program Files\Outsim
    2008-09-15 04:10 . 2002-07-07 18:14 1,294,336 --a------ D:\WINDOWS\system32\vorbis.acm
    2008-09-15 04:09 . 2008-09-15 04:10 <DIR> d-------- D:\Program Files\Image-Line

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-12 10:45 --------- d-----w D:\Program Files\VideoLAN
    2008-10-10 15:01 43,520 ----a-w D:\WINDOWS\system32\CmdLineExt03.dll
    2008-10-08 15:04 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\uTorrent
    2008-09-29 11:30 --------- d--h--w D:\Program Files\InstallShield Installation Information
    2008-09-12 07:27 --------- d-----w D:\Program Files\Advanced GIF Animator
    2008-09-10 10:16 --------- d-----w D:\Program Files\hoversnap
    2008-09-05 06:05 --------- d-----w D:\Program Files\DAEMON Tools Lite
    2008-09-05 06:00 717,296 ----a-w D:\WINDOWS\system32\drivers\sptd.sys
    2008-09-05 06:00 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\DAEMON Tools
    2008-09-02 21:57 --------- d-----w D:\Program Files\Sierra On-Line
    2008-09-02 19:55 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-09-02 19:53 --------- d-----w D:\Program Files\Lavasoft
    2008-09-02 19:52 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
    2008-08-30 23:17 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\GetRightToGo
    2008-08-28 13:52 --------- d-----w D:\Program Files\Foxit Software
    2008-08-25 13:15 --------- d-----w D:\Program Files\Java
    2008-08-25 13:14 --------- d-----w D:\Program Files\Common Files\Java
    2008-08-22 08:32 --------- d-----w D:\Program Files\Avernum 2
    2008-08-22 07:47 --------- d-----w D:\Program Files\CCleaner
    2008-08-21 12:13 --------- d-----w D:\Documents and Settings\All Users\Application Data\Saitek
    2008-08-20 18:43 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\U3
    2008-08-20 15:46 --------- d-----w D:\Program Files\7-Zip
    2008-08-19 17:36 --------- d-----w D:\Program Files\uTorrent
    2008-08-19 16:08 --------- d-----w D:\Program Files\Bethesda Softworks
    2008-08-19 15:45 --------- d-----w D:\Program Files\Marvell
    2008-08-19 15:44 --------- d-----w D:\Program Files\Common Files\InstallShield
    2008-08-19 15:09 --------- d-----w D:\Program Files\SpywareBlaster
    2008-08-19 15:07 --------- d-----w D:\Documents and Settings\All Users\Application Data\TEMP
    2008-08-19 15:06 --------- d-----w D:\Documents and Settings\All Users\Application Data\comodo
    2008-08-19 15:03 87,056 ----a-w D:\WINDOWS\system32\drivers\cmdguard.sys
    2008-08-19 15:03 24,208 ----a-w D:\WINDOWS\system32\drivers\cmdhlp.sys
    2008-08-19 15:03 143,104 ----a-w D:\WINDOWS\system32\guard32.dll
    2008-08-19 15:03 --------- d-----w D:\Program Files\COMODO
    2008-08-19 15:03 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\Comodo
    2008-08-19 06:30 --------- d-----w D:\Program Files\Realtek
    2008-08-19 06:27 --------- d-----w D:\Program Files\Intel
    2008-08-19 06:18 --------- d-----w D:\Program Files\Ray Adams
    2008-08-19 06:18 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\atitray
    2008-08-19 01:22 --------- d-----w D:\Program Files\microsoft frontpage
    2008-08-06 21:27 3,520,552 ----a-w D:\WINDOWS\procexp.exe
    2008-07-31 14:41 68,616 ----a-w D:\WINDOWS\system32\XAPOFX1_1.dll
    2008-07-31 14:41 238,088 ----a-w D:\WINDOWS\system32\xactengine3_2.dll
    2008-07-31 14:40 509,448 ----a-w D:\WINDOWS\system32\XAudio2_2.dll
    2008-07-19 02:10 94,920 ----a-w D:\WINDOWS\system32\cdm.dll
    2008-07-19 02:10 53,448 ----a-w D:\WINDOWS\system32\wuauclt.exe
    2008-07-19 02:10 45,768 ----a-w D:\WINDOWS\system32\wups2.dll
    2008-07-19 02:10 36,552 ----a-w D:\WINDOWS\system32\wups.dll
    2008-07-19 02:09 563,912 ----a-w D:\WINDOWS\system32\wuapi.dll
    2008-07-19 02:09 325,832 ----a-w D:\WINDOWS\system32\wucltui.dll
    2008-07-19 02:09 205,000 ----a-w D:\WINDOWS\system32\wuweb.dll
    2008-07-19 02:09 1,811,656 ----a-w D:\WINDOWS\system32\wuaueng.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "MSConfig"="D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
    "RTHDCPL"="RTHDCPL.EXE" [2006-04-17 D:\WINDOWS\RTHDCPL.exe]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"= D:\WINDOWS\system32\guard32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]
    --a------ 2007-05-22 05:04 521128 D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
    --a------ 2008-06-12 14:28 266497 D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
    --a------ 2008-08-19 11:03 1655552 D:\Program Files\COMODO\Firewall\cfp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "cmdAgent"=2 (0x2)
    "AntiVirService"=2 (0x2)
    "AntiVirScheduler"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "D:\\WINDOWS\\system32\\mmc.exe"=
    "D:\\Program Files\\uTorrent\\uTorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    R1 atitray;atitray;D:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys [2007-05-22 18088]
    R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;D:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-08-19 87056]
    R1 cmdHlp;COMODO Firewall Pro Helper Driver;D:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-08-19 24208]
    S3 gtermddo;gtermddo;D:\DOCUME~1\OCCAMS~1\LOCALS~1\Temp\gtermddo.sys [ ]
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - D:\Documents and Settings\Occamsspork\Application Data\Mozilla\Firefox\Profiles\93ajk97c.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-14 14:46:35
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: D:\WINDOWS\system32\winlogon.exe
    -> D:\WINDOWS\system32\guard32.dll

    PROCESS: D:\WINDOWS\system32\lsass.exe
    -> D:\WINDOWS\system32\guard32.dll
    .
    Completion time: 2008-10-14 14:46:59
    ComboFix-quarantined-files.txt 2008-10-14 18:46:57

    Pre-Run: 19,782,430,720 bytes free
    Post-Run: 19,770,150,912 bytes free

    150 --- E O F --- 2008-09-11 07:33:45

    -------------------------------------------------------------

    HJT:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:55:48 PM, on 10/14/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    D:\WINDOWS\RTHDCPL.EXE
    D:\Program Files\COMODO\Firewall\cfp.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    D:\Program Files\COMODO\Firewall\cmdagent.exe
    D:\Program Files\Mozilla Firefox\firefox.exe
    D:\WINDOWS\system32\wuauclt.exe
    D:\WINDOWS\system32\wuauclt.exe
    D:\hjt\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKCU\..\Run: [AtiTrayTools] "D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O20 - AppInit_DLLs: D:\WINDOWS\system32\guard32.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - D:\Program Files\COMODO\Firewall\cmdagent.exe

    --
    End of file - 3086 bytes
    ---------------------------------------

    Everything seems pretty clean...:confused:
     
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Yes it seems clean. I'm not sure what is causing the problem. This is all I see. You might consider moving the data to the other partition and reinstall of Windows on this one.

    Open Notepad and copy and paste the text in the quote box below into it:

    Save the file to you desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]

    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
     
  12. occamsspork

    occamsspork Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    16
    combofix:

    ComboFix 08-10-14.01 - Occamsspork 2008-10-15 19:27:42.2 - NTFSx86
    Running from: D:\Documents and Settings\Occamsspork\Desktop\ComboFix.exe
    Command switches used :: D:\Documents and Settings\Occamsspork\Desktop\CFScript.txt
    * Created a new restore point

    FILE ::
    D:\DOCUME~1\OCCAMS~1\LOCALS~1\Temp\gtermddo.sys
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_GTERMDDO
    -------\Service_gtermddo


    ((((((((((((((((((((((((( Files Created from 2008-09-15 to 2008-10-15 )))))))))))))))))))))))))))))))
    .

    2008-10-15 09:26 . 2008-10-15 09:27 1,393 --a------ D:\WINDOWS\imsins.BAK
    2008-10-14 14:16 . 2008-09-08 06:41 333,824 -----c--- D:\WINDOWS\system32\dllcache\srv.sys
    2008-10-14 14:15 . 2008-08-14 06:11 2,189,184 -----c--- D:\WINDOWS\system32\dllcache\ntoskrnl.exe
    2008-10-14 14:15 . 2008-08-14 06:09 2,145,280 -----c--- D:\WINDOWS\system32\dllcache\ntkrnlmp.exe
    2008-10-14 14:15 . 2008-08-14 05:33 2,066,048 -----c--- D:\WINDOWS\system32\dllcache\ntkrnlpa.exe
    2008-10-14 14:15 . 2008-08-14 05:33 2,023,936 -----c--- D:\WINDOWS\system32\dllcache\ntkrpamp.exe
    2008-10-14 14:15 . 2008-09-15 08:12 1,846,400 -----c--- D:\WINDOWS\system32\dllcache\win32k.sys
    2008-10-14 09:46 . 2008-10-14 09:57 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\dvdcss
    2008-10-13 05:26 . 2003-06-25 16:05 266,360 --a------ D:\WINDOWS\system32\TweakUI.exe
    2008-10-13 05:26 . 2002-06-21 15:09 160,217 --a------ D:\WINDOWS\system32\PowerToysLicense.rtf
    2008-10-12 06:47 . 2008-10-12 06:56 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\vlc
    2008-10-12 04:09 . 2008-10-12 04:09 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ESET
    2008-10-09 16:03 . 2008-10-09 16:03 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\Malwarebytes
    2008-10-09 16:01 . 2008-10-09 16:01 <DIR> d-------- D:\Program Files\Avira
    2008-10-09 16:01 . 2008-10-09 16:01 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Avira
    2008-10-09 13:20 . 2008-10-09 13:20 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-09 13:20 . 2008-10-09 13:20 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\Malwarebytes
    2008-10-09 13:15 . 2008-10-09 15:13 <DIR> d-------- D:\Documents and Settings\Administrator
    2008-10-07 06:06 . 2008-10-07 06:07 <DIR> d-------- D:\Program Files\DOSBox-0.72
    2008-10-01 02:05 . 2003-02-19 15:06 438,272 --a------ D:\WINDOWS\system32\cmcs21.ocx
    2008-10-01 02:05 . 2003-02-19 15:07 303,104 --a------ D:\WINDOWS\system32\cmcs21.dll
    2008-10-01 02:05 . 2004-02-08 19:55 180,132 --a------ D:\WINDOWS\system32\GDIPlus.tlb
    2008-10-01 01:43 . 2008-10-01 01:43 <DIR> d--h----- D:\WINDOWS\PIF
    2008-09-29 12:57 . 2008-09-29 13:34 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\LimeWire
    2008-09-29 12:56 . 2008-09-29 12:57 <DIR> d-------- D:\Program Files\LimeWire
    2008-09-29 12:38 . 2008-09-29 12:38 <DIR> d-------- D:\Program Files\CDBurnerXP Pro 3
    2008-09-29 12:04 . 2008-09-29 12:04 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\ImgBurn
    2008-09-29 12:02 . 2008-09-29 12:02 <DIR> d-------- D:\Program Files\ImgBurn
    2008-09-29 07:32 . 2003-03-02 17:44 7,552 --a------ D:\WINDOWS\system32\drivers\enodpl.sys
    2008-09-29 07:32 . 2003-04-19 00:32 4,736 --a------ D:\WINDOWS\system32\drivers\tandpl.sys
    2008-09-28 05:50 . 2008-10-14 14:55 <DIR> d-------- D:\hjt
    2008-09-27 12:38 . 2008-10-09 02:58 347 --a------ D:\WINDOWS\Warpath.ini
    2008-09-27 01:55 . 2008-09-27 02:04 536 --a------ D:\WINDOWS\eReg.dat
    2008-09-20 06:38 . 2008-09-20 06:43 <DIR> d--h----- D:\Program Files\InstallJammer Registry
    2008-09-15 04:10 . 2008-09-15 04:10 <DIR> d-------- D:\Program Files\Outsim
    2008-09-15 04:10 . 2002-07-07 18:14 1,294,336 --a------ D:\WINDOWS\system32\vorbis.acm
    2008-09-15 04:09 . 2008-09-15 04:10 <DIR> d-------- D:\Program Files\Image-Line

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-12 10:45 --------- d-----w D:\Program Files\VideoLAN
    2008-10-10 15:01 43,520 ----a-w D:\WINDOWS\system32\CmdLineExt03.dll
    2008-10-08 15:04 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\uTorrent
    2008-09-29 11:30 --------- d--h--w D:\Program Files\InstallShield Installation Information
    2008-09-15 12:12 1,846,400 ----a-w D:\WINDOWS\system32\win32k.sys
    2008-09-12 07:27 --------- d-----w D:\Program Files\Advanced GIF Animator
    2008-09-10 10:16 --------- d-----w D:\Program Files\hoversnap
    2008-09-08 10:41 333,824 ----a-w D:\WINDOWS\system32\drivers\srv.sys
    2008-09-05 06:05 --------- d-----w D:\Program Files\DAEMON Tools Lite
    2008-09-05 06:00 717,296 ----a-w D:\WINDOWS\system32\drivers\sptd.sys
    2008-09-05 06:00 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\DAEMON Tools
    2008-09-02 21:57 --------- d-----w D:\Program Files\Sierra On-Line
    2008-09-02 19:55 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-09-02 19:53 --------- d-----w D:\Program Files\Lavasoft
    2008-09-02 19:52 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
    2008-08-30 23:17 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\GetRightToGo
    2008-08-28 13:52 --------- d-----w D:\Program Files\Foxit Software
    2008-08-25 13:15 --------- d-----w D:\Program Files\Java
    2008-08-25 13:14 --------- d-----w D:\Program Files\Common Files\Java
    2008-08-22 08:32 --------- d-----w D:\Program Files\Avernum 2
    2008-08-22 07:47 --------- d-----w D:\Program Files\CCleaner
    2008-08-21 12:13 --------- d-----w D:\Documents and Settings\All Users\Application Data\Saitek
    2008-08-20 18:43 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\U3
    2008-08-20 15:46 --------- d-----w D:\Program Files\7-Zip
    2008-08-20 05:30 666,112 ----a-w D:\WINDOWS\system32\wininet.dll
    2008-08-19 17:36 --------- d-----w D:\Program Files\uTorrent
    2008-08-19 16:08 --------- d-----w D:\Program Files\Bethesda Softworks
    2008-08-19 15:45 --------- d-----w D:\Program Files\Marvell
    2008-08-19 15:44 --------- d-----w D:\Program Files\Common Files\InstallShield
    2008-08-19 15:09 --------- d-----w D:\Program Files\SpywareBlaster
    2008-08-19 15:07 --------- d-----w D:\Documents and Settings\All Users\Application Data\TEMP
    2008-08-19 15:06 --------- d-----w D:\Documents and Settings\All Users\Application Data\comodo
    2008-08-19 15:03 87,056 ----a-w D:\WINDOWS\system32\drivers\cmdguard.sys
    2008-08-19 15:03 24,208 ----a-w D:\WINDOWS\system32\drivers\cmdhlp.sys
    2008-08-19 15:03 143,104 ----a-w D:\WINDOWS\system32\guard32.dll
    2008-08-19 15:03 --------- d-----w D:\Program Files\COMODO
    2008-08-19 15:03 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\Comodo
    2008-08-19 06:30 --------- d-----w D:\Program Files\Realtek
    2008-08-19 06:27 --------- d-----w D:\Program Files\Intel
    2008-08-19 06:18 --------- d-----w D:\Program Files\Ray Adams
    2008-08-19 06:18 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\atitray
    2008-08-19 01:22 --------- d-----w D:\Program Files\microsoft frontpage
    2008-08-14 10:09 2,145,280 ----a-w D:\WINDOWS\system32\ntoskrnl.exe
    2008-08-14 09:33 2,023,936 ----a-w D:\WINDOWS\system32\ntkrnlpa.exe
    2008-08-06 21:27 3,520,552 ----a-w D:\WINDOWS\procexp.exe
    2008-07-31 14:41 68,616 ----a-w D:\WINDOWS\system32\XAPOFX1_1.dll
    2008-07-31 14:41 238,088 ----a-w D:\WINDOWS\system32\xactengine3_2.dll
    2008-07-31 14:40 509,448 ----a-w D:\WINDOWS\system32\XAudio2_2.dll
    2008-07-19 02:10 94,920 ----a-w D:\WINDOWS\system32\cdm.dll
    2008-07-19 02:10 53,448 ----a-w D:\WINDOWS\system32\wuauclt.exe
    2008-07-19 02:10 45,768 ----a-w D:\WINDOWS\system32\wups2.dll
    2008-07-19 02:10 36,552 ----a-w D:\WINDOWS\system32\wups.dll
    2008-07-19 02:09 563,912 ----a-w D:\WINDOWS\system32\wuapi.dll
    2008-07-19 02:09 325,832 ----a-w D:\WINDOWS\system32\wucltui.dll
    2008-07-19 02:09 205,000 ----a-w D:\WINDOWS\system32\wuweb.dll
    2008-07-19 02:09 1,811,656 ----a-w D:\WINDOWS\system32\wuaueng.dll
    .

    ((((((((((((((((((((((((((((( [email protected]_14.46.49.26 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-08-20 04:58:54 3,067,904 ----a-w D:\WINDOWS\$hf_mig$\KB956390\SP3QFE\mshtml.dll
    + 2008-08-20 04:58:47 1,499,136 ----a-w D:\WINDOWS\$hf_mig$\KB956390\SP3QFE\shdocvw.dll
    + 2008-08-20 04:58:50 620,032 ----a-w D:\WINDOWS\$hf_mig$\KB956390\SP3QFE\urlmon.dll
    + 2008-08-20 04:58:48 666,624 ----a-w D:\WINDOWS\$hf_mig$\KB956390\SP3QFE\wininet.dll
    + 2007-11-30 11:18:51 17,272 ----a-w D:\WINDOWS\$hf_mig$\KB956390\spmsg.dll
    + 2007-11-30 11:18:51 231,288 ----a-w D:\WINDOWS\$hf_mig$\KB956390\spuninst.exe
    + 2007-11-30 11:18:51 26,488 ----a-w D:\WINDOWS\$hf_mig$\KB956390\update\spcustom.dll
    + 2007-11-30 12:39:22 755,576 ----a-w D:\WINDOWS\$hf_mig$\KB956390\update\update.exe
    + 2007-11-30 12:39:22 382,840 ----a-w D:\WINDOWS\$hf_mig$\KB956390\update\updspapi.dll
    + 2008-08-14 10:09:26 2,145,280 ------w D:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe
    + 2008-08-14 09:33:16 2,066,048 ------w D:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
    + 2008-08-14 09:33:16 2,023,936 ------w D:\WINDOWS\Driver Cache\i386\ntkrpamp.exe
    + 2008-08-14 10:11:02 2,189,184 ------w D:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
    + 2005-10-21 00:02:28 163,328 ----a-w D:\WINDOWS\ERDNT\subs\ERDNT.EXE
    - 2008-06-20 11:40:08 138,496 -c----w D:\WINDOWS\system32\dllcache\afd.sys
    + 2008-08-14 10:04:36 138,496 -c----w D:\WINDOWS\system32\dllcache\afd.sys
    - 2008-06-23 15:09:27 3,067,392 -c----w D:\WINDOWS\system32\dllcache\mshtml.dll
    + 2008-08-20 05:30:53 3,067,904 -c----w D:\WINDOWS\system32\dllcache\mshtml.dll
    - 2008-06-26 08:15:29 1,499,136 -c----w D:\WINDOWS\system32\dllcache\shdocvw.dll
    + 2008-08-20 05:30:51 1,499,136 -c----w D:\WINDOWS\system32\dllcache\shdocvw.dll
    - 2008-06-26 08:15:30 619,520 -c----w D:\WINDOWS\system32\dllcache\urlmon.dll
    + 2008-08-20 05:30:52 619,520 -c----w D:\WINDOWS\system32\dllcache\urlmon.dll
    - 2008-06-23 15:09:27 666,112 -c----w D:\WINDOWS\system32\dllcache\wininet.dll
    + 2008-08-20 05:30:51 666,112 -c----w D:\WINDOWS\system32\dllcache\wininet.dll
    - 2008-06-20 11:40:08 138,496 ----a-w D:\WINDOWS\system32\drivers\afd.sys
    + 2008-08-14 10:04:36 138,496 ----a-w D:\WINDOWS\system32\drivers\afd.sys
    - 2008-09-05 07:05:29 91,888 ----a-w D:\WINDOWS\system32\FNTCACHE.DAT
    + 2008-10-15 13:31:21 91,888 ----a-w D:\WINDOWS\system32\FNTCACHE.DAT
    - 2008-08-26 20:28:12 16,208,504 ----a-w D:\WINDOWS\system32\MRT.exe
    + 2008-10-07 19:19:40 16,721,856 ----a-w D:\WINDOWS\system32\MRT.exe
    - 2008-06-23 15:09:27 3,067,392 ----a-w D:\WINDOWS\system32\mshtml.dll
    + 2008-08-20 05:30:53 3,067,904 ----a-w D:\WINDOWS\system32\mshtml.dll
    - 2008-06-26 08:15:29 1,499,136 ----a-w D:\WINDOWS\system32\shdocvw.dll
    + 2008-08-20 05:30:51 1,499,136 ----a-w D:\WINDOWS\system32\shdocvw.dll
    - 2007-11-30 12:39:22 17,272 ------w D:\WINDOWS\system32\spmsg.dll
    + 2007-11-30 11:18:51 17,272 ------w D:\WINDOWS\system32\spmsg.dll
    - 2008-06-26 08:15:30 619,520 ----a-w D:\WINDOWS\system32\urlmon.dll
    + 2008-08-20 05:30:52 619,520 ----a-w D:\WINDOWS\system32\urlmon.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AtiTrayTools"="D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe" [2007-05-22 521128]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "COMODO Firewall Pro"="D:\Program Files\COMODO\Firewall\cfp.exe" [2008-08-19 1655552]
    "avgnt"="D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
    "RTHDCPL"="RTHDCPL.EXE" [2006-04-17 D:\WINDOWS\RTHDCPL.exe]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"= D:\WINDOWS\system32\guard32.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "D:\\WINDOWS\\system32\\mmc.exe"=
    "D:\\Program Files\\uTorrent\\uTorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    R1 atitray;atitray;D:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys [2007-05-22 18088]
    R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;D:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-08-19 87056]
    R1 cmdHlp;COMODO Firewall Pro Helper Driver;D:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-08-19 24208]
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-15 19:29:49
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    D:\WINDOWS\system32\ati2evxx.exe
    D:\WINDOWS\system32\ati2evxx.exe
    D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    D:\Program Files\COMODO\Firewall\cmdagent.exe
    D:\WINDOWS\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2008-10-15 19:30:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-10-15 23:30:43
    ComboFix2.txt 2008-10-14 18:47:00

    Pre-Run: 19,605,975,040 bytes free
    Post-Run: 19,551,051,776 bytes free

    209 --- E O F --- 2008-10-15 13:28:03

    HJT:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:10:16 PM, on 10/15/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    D:\WINDOWS\RTHDCPL.EXE
    D:\Program Files\COMODO\Firewall\cfp.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
    D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    D:\Program Files\COMODO\Firewall\cmdagent.exe
    D:\WINDOWS\explorer.exe
    D:\WINDOWS\system32\notepad.exe
    D:\hjt\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKCU\..\Run: [AtiTrayTools] "D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O20 - AppInit_DLLs: D:\WINDOWS\system32\guard32.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - D:\Program Files\COMODO\Firewall\cmdagent.exe

    --
    End of file - 3007 bytes
     
  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    The P2P programs you have installed expose you to risks because of the nature of the P2P file sharing process. File sharing/P2P programs rely on members giving and gaining unrestricted access to computers across the P2P network. This practice can make you vulnerable to data and identity theft. It also exposes you to very malicious worms and trojans. You change those risky default settings to a safer configuration but the act of downloading files from an anonymous source greatly increases your exposure to infection.



    Please do an online scan with Kaspersky WebScanner

    Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure the following is checked.
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        [*]Archives
        [*]Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    • Please post this log in your next reply.
     
  14. occamsspork

    occamsspork Thread Starter

    Joined:
    Sep 28, 2008
    Messages:
    16
    Hmmm. The kaspersky report came back clean, and I've known the kaspersky online test to find all kinds of things regular AV\antispyware programs miss, so I'm thinking MWB and NOD got rid of whatever it was.

    The computer is working normally now, I guess the slowdown was caused by a hiccup in my ISP or some sort of conflict somewhere. I'll look into it.

    As for the P2P apps, I rarely use them (and I'll probably just get rid of limewire, the last few times it seemed completely infested with malware and viruses) and BT I only use for legit purposes, such as old abandonware DOS games, Linux distros or other things in the public domain.

    Anyway, thanks for all your help! You'll probably see me around the forums here and there, but I don't post much on any message board, I prefer to just lurk unless I have something worthwhile to say.

    Thanks again, should I mark this solved?
     
  15. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Yes, feel free to mark it solved. :)

    Follow these steps to uninstall Combofix and tools used in the removal of malware
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    That will remove Combofix and any folders it created.

    You're welcome!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved really sure
  1. FatDaddy
    Replies:
    15
    Views:
    1,305
  2. bigwill2k
    Replies:
    3
    Views:
    485
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/757486

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice