Solved: I'm not really sure what's happening here, maybe malware?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

occamsspork

Thread Starter
Joined
Sep 28, 2008
Messages
16
Hi all. I have a strange problem. I run a dual-boot computer with Linux and WinXP, and while Linux always works, XP has been having some screwy issues with random lockups followed by a strange high pitched noise that lasts for a minute or so, then the entire system will lock up. I have also had a browser hijack happen once, redirecting me instantly to some site called stuff for girls full of slutty clothes and other garbage. I tried to run a scan with both ad-aware and Avira, but in both cases I got the same weird system hang mentioned above. I will edit this post with a HJT log in a few, but the last time this happened, The HJT log looked pretty clean, and I just reinstalled firefox and the problem went away. If anyone has any help, it would be greatly appreciated.
 

occamsspork

Thread Starter
Joined
Sep 28, 2008
Messages
16
Ok, here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:37 AM, on 10/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\COMODO\Firewall\cfp.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\COMODO\Firewall\cmdagent.exe
D:\hjt\HiJackThis.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [AtiTrayTools] "D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABB807A7-825E-4573-B126-D7CA87A2DFA0}: NameServer = 24.25.5.148,24.25.5.147
O20 - AppInit_DLLs: D:\WINDOWS\system32\guard32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - D:\Program Files\COMODO\Firewall\cmdagent.exe

I don't know what 017 is, but the rest of it looks alright.
 

occamsspork

Thread Starter
Joined
Sep 28, 2008
Messages
16
Yes it is, I thought it might be because I set my IP to static the other day. I can't really see much in all the other stuff though.

My bad for the misspelling, I was in a rush.

I like your avatar. (y)
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
If your ISP suggests you do that it's ok. If not I will tell you it could create a problem for you down the road.

You're spelling is not that bad! ;) I can show you a lot worse! :D
 

occamsspork

Thread Starter
Joined
Sep 28, 2008
Messages
16
Thanks for the vote of confidence!:D

Anyway, on a whim the other day, I decided to try malwarebytes and NOD32 (not at the same time, of course) and they did find an infection in the windows that they removed, and now windows works again, but it is still somewhat sluggish, so I wonder if they got rid of the infections completely, but the HJT log shows nothing out of the ordinary, and I remember the things that MWB and NOD32 findiing not showing up at all. This tells me that HJT is of somewhat limited use in finding and removing malware and spyware, are their any other tools I could use that are more in depth? I'm even comfortable working from the command prompt, if need be.

I don't think Road Runner has a problem with static Ip's, i set it back to dynamic anyway, that was a test of port forwarding with my router.
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
If you could tell me what Malwarebytes removed I could possibly give you another scan to run.
 

occamsspork

Thread Starter
Joined
Sep 28, 2008
Messages
16
I (stupidly) didn't save the logs and I uninstalled both MWB and NOD while in safe mode to prevent conflicts with avira. I think it was (something).command...something.exe, I only remember that once MWB found and deleted that file and whatever traces it could find, I booted back into windows and it worked, it just performed a little sluggish. It still does, that's what I'm trying to puzzle out now.

What scans did you have in mind? I'm up for anything at this point.
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Visit this webpage for instructions for downloading and running ComboFix.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
 

occamsspork

Thread Starter
Joined
Sep 28, 2008
Messages
16
Alright, I ran all that, here are the logs:

COMBOFIX:

ComboFix 08-10-14.01 - Occamsspork 2008-10-14 14:45:45.1 - NTFSx86
Running from: D:\Documents and Settings\Occamsspork\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-14 to 2008-10-14 )))))))))))))))))))))))))))))))
.

2008-10-14 09:46 . 2008-10-14 09:57 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\dvdcss
2008-10-13 05:26 . 2003-06-25 16:05 266,360 --a------ D:\WINDOWS\system32\TweakUI.exe
2008-10-13 05:26 . 2002-06-21 15:09 160,217 --a------ D:\WINDOWS\system32\PowerToysLicense.rtf
2008-10-12 06:47 . 2008-10-12 06:56 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\vlc
2008-10-12 04:09 . 2008-10-12 04:09 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ESET
2008-10-09 16:03 . 2008-10-09 16:03 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\Malwarebytes
2008-10-09 16:01 . 2008-10-09 16:01 <DIR> d-------- D:\Program Files\Avira
2008-10-09 16:01 . 2008-10-09 16:01 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Avira
2008-10-09 13:20 . 2008-10-09 13:20 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-09 13:20 . 2008-10-09 13:20 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-09 13:15 . 2008-10-09 15:13 <DIR> d-------- D:\Documents and Settings\Administrator
2008-10-07 06:06 . 2008-10-07 06:07 <DIR> d-------- D:\Program Files\DOSBox-0.72
2008-10-01 02:05 . 2003-02-19 15:06 438,272 --a------ D:\WINDOWS\system32\cmcs21.ocx
2008-10-01 02:05 . 2003-02-19 15:07 303,104 --a------ D:\WINDOWS\system32\cmcs21.dll
2008-10-01 02:05 . 2004-02-08 19:55 180,132 --a------ D:\WINDOWS\system32\GDIPlus.tlb
2008-10-01 01:43 . 2008-10-01 01:43 <DIR> d--h----- D:\WINDOWS\PIF
2008-09-29 12:57 . 2008-09-29 13:34 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\LimeWire
2008-09-29 12:56 . 2008-09-29 12:57 <DIR> d-------- D:\Program Files\LimeWire
2008-09-29 12:38 . 2008-09-29 12:38 <DIR> d-------- D:\Program Files\CDBurnerXP Pro 3
2008-09-29 12:04 . 2008-09-29 12:04 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\ImgBurn
2008-09-29 12:02 . 2008-09-29 12:02 <DIR> d-------- D:\Program Files\ImgBurn
2008-09-29 07:32 . 2003-03-02 17:44 7,552 --a------ D:\WINDOWS\system32\drivers\enodpl.sys
2008-09-29 07:32 . 2003-04-19 00:32 4,736 --a------ D:\WINDOWS\system32\drivers\tandpl.sys
2008-09-28 05:50 . 2008-10-13 19:05 <DIR> d-------- D:\hjt
2008-09-27 12:38 . 2008-10-09 02:58 347 --a------ D:\WINDOWS\Warpath.ini
2008-09-27 01:55 . 2008-09-27 02:04 536 --a------ D:\WINDOWS\eReg.dat
2008-09-20 06:38 . 2008-09-20 06:43 <DIR> d--h----- D:\Program Files\InstallJammer Registry
2008-09-15 04:10 . 2008-09-15 04:10 <DIR> d-------- D:\Program Files\Outsim
2008-09-15 04:10 . 2002-07-07 18:14 1,294,336 --a------ D:\WINDOWS\system32\vorbis.acm
2008-09-15 04:09 . 2008-09-15 04:10 <DIR> d-------- D:\Program Files\Image-Line

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-12 10:45 --------- d-----w D:\Program Files\VideoLAN
2008-10-10 15:01 43,520 ----a-w D:\WINDOWS\system32\CmdLineExt03.dll
2008-10-08 15:04 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\uTorrent
2008-09-29 11:30 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-09-12 07:27 --------- d-----w D:\Program Files\Advanced GIF Animator
2008-09-10 10:16 --------- d-----w D:\Program Files\hoversnap
2008-09-05 06:05 --------- d-----w D:\Program Files\DAEMON Tools Lite
2008-09-05 06:00 717,296 ----a-w D:\WINDOWS\system32\drivers\sptd.sys
2008-09-05 06:00 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\DAEMON Tools
2008-09-02 21:57 --------- d-----w D:\Program Files\Sierra On-Line
2008-09-02 19:55 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-02 19:53 --------- d-----w D:\Program Files\Lavasoft
2008-09-02 19:52 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-08-30 23:17 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\GetRightToGo
2008-08-28 13:52 --------- d-----w D:\Program Files\Foxit Software
2008-08-25 13:15 --------- d-----w D:\Program Files\Java
2008-08-25 13:14 --------- d-----w D:\Program Files\Common Files\Java
2008-08-22 08:32 --------- d-----w D:\Program Files\Avernum 2
2008-08-22 07:47 --------- d-----w D:\Program Files\CCleaner
2008-08-21 12:13 --------- d-----w D:\Documents and Settings\All Users\Application Data\Saitek
2008-08-20 18:43 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\U3
2008-08-20 15:46 --------- d-----w D:\Program Files\7-Zip
2008-08-19 17:36 --------- d-----w D:\Program Files\uTorrent
2008-08-19 16:08 --------- d-----w D:\Program Files\Bethesda Softworks
2008-08-19 15:45 --------- d-----w D:\Program Files\Marvell
2008-08-19 15:44 --------- d-----w D:\Program Files\Common Files\InstallShield
2008-08-19 15:09 --------- d-----w D:\Program Files\SpywareBlaster
2008-08-19 15:07 --------- d-----w D:\Documents and Settings\All Users\Application Data\TEMP
2008-08-19 15:06 --------- d-----w D:\Documents and Settings\All Users\Application Data\comodo
2008-08-19 15:03 87,056 ----a-w D:\WINDOWS\system32\drivers\cmdguard.sys
2008-08-19 15:03 24,208 ----a-w D:\WINDOWS\system32\drivers\cmdhlp.sys
2008-08-19 15:03 143,104 ----a-w D:\WINDOWS\system32\guard32.dll
2008-08-19 15:03 --------- d-----w D:\Program Files\COMODO
2008-08-19 15:03 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\Comodo
2008-08-19 06:30 --------- d-----w D:\Program Files\Realtek
2008-08-19 06:27 --------- d-----w D:\Program Files\Intel
2008-08-19 06:18 --------- d-----w D:\Program Files\Ray Adams
2008-08-19 06:18 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\atitray
2008-08-19 01:22 --------- d-----w D:\Program Files\microsoft frontpage
2008-08-06 21:27 3,520,552 ----a-w D:\WINDOWS\procexp.exe
2008-07-31 14:41 68,616 ----a-w D:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 14:41 238,088 ----a-w D:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 14:40 509,448 ----a-w D:\WINDOWS\system32\XAudio2_2.dll
2008-07-19 02:10 94,920 ----a-w D:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w D:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w D:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w D:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w D:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w D:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w D:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w D:\WINDOWS\system32\wuaueng.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"MSConfig"="D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 D:\WINDOWS\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= D:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]
--a------ 2007-05-22 05:04 521128 D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2008-06-12 14:28 266497 D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
--a------ 2008-08-19 11:03 1655552 D:\Program Files\COMODO\Firewall\cfp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdAgent"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\WINDOWS\\system32\\mmc.exe"=
"D:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 atitray;atitray;D:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys [2007-05-22 18088]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;D:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-08-19 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;D:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-08-19 24208]
S3 gtermddo;gtermddo;D:\DOCUME~1\OCCAMS~1\LOCALS~1\Temp\gtermddo.sys [ ]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\Occamsspork\Application Data\Mozilla\Firefox\Profiles\93ajk97c.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-14 14:46:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: D:\WINDOWS\system32\winlogon.exe
-> D:\WINDOWS\system32\guard32.dll

PROCESS: D:\WINDOWS\system32\lsass.exe
-> D:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-10-14 14:46:59
ComboFix-quarantined-files.txt 2008-10-14 18:46:57

Pre-Run: 19,782,430,720 bytes free
Post-Run: 19,770,150,912 bytes free

150 --- E O F --- 2008-09-11 07:33:45

-------------------------------------------------------------

HJT:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:48 PM, on 10/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\COMODO\Firewall\cfp.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\COMODO\Firewall\cmdagent.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
D:\hjt\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [AtiTrayTools] "D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: D:\WINDOWS\system32\guard32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - D:\Program Files\COMODO\Firewall\cmdagent.exe

--
End of file - 3086 bytes
---------------------------------------

Everything seems pretty clean...:confused:
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Yes it seems clean. I'm not sure what is causing the problem. This is all I see. You might consider moving the data to the other partition and reinstall of Windows on this one.

Open Notepad and copy and paste the text in the quote box below into it:
File::
D:\DOCUME~1\OCCAMS~1\LOCALS~1\Temp\gtermddo.sys
Driver::
gtermddo

Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 

occamsspork

Thread Starter
Joined
Sep 28, 2008
Messages
16
combofix:

ComboFix 08-10-14.01 - Occamsspork 2008-10-15 19:27:42.2 - NTFSx86
Running from: D:\Documents and Settings\Occamsspork\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Occamsspork\Desktop\CFScript.txt
* Created a new restore point

FILE ::
D:\DOCUME~1\OCCAMS~1\LOCALS~1\Temp\gtermddo.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GTERMDDO
-------\Service_gtermddo


((((((((((((((((((((((((( Files Created from 2008-09-15 to 2008-10-15 )))))))))))))))))))))))))))))))
.

2008-10-15 09:26 . 2008-10-15 09:27 1,393 --a------ D:\WINDOWS\imsins.BAK
2008-10-14 14:16 . 2008-09-08 06:41 333,824 -----c--- D:\WINDOWS\system32\dllcache\srv.sys
2008-10-14 14:15 . 2008-08-14 06:11 2,189,184 -----c--- D:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-14 14:15 . 2008-08-14 06:09 2,145,280 -----c--- D:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-14 14:15 . 2008-08-14 05:33 2,066,048 -----c--- D:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-14 14:15 . 2008-08-14 05:33 2,023,936 -----c--- D:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-14 14:15 . 2008-09-15 08:12 1,846,400 -----c--- D:\WINDOWS\system32\dllcache\win32k.sys
2008-10-14 09:46 . 2008-10-14 09:57 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\dvdcss
2008-10-13 05:26 . 2003-06-25 16:05 266,360 --a------ D:\WINDOWS\system32\TweakUI.exe
2008-10-13 05:26 . 2002-06-21 15:09 160,217 --a------ D:\WINDOWS\system32\PowerToysLicense.rtf
2008-10-12 06:47 . 2008-10-12 06:56 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\vlc
2008-10-12 04:09 . 2008-10-12 04:09 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ESET
2008-10-09 16:03 . 2008-10-09 16:03 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\Malwarebytes
2008-10-09 16:01 . 2008-10-09 16:01 <DIR> d-------- D:\Program Files\Avira
2008-10-09 16:01 . 2008-10-09 16:01 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Avira
2008-10-09 13:20 . 2008-10-09 13:20 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-09 13:20 . 2008-10-09 13:20 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-09 13:15 . 2008-10-09 15:13 <DIR> d-------- D:\Documents and Settings\Administrator
2008-10-07 06:06 . 2008-10-07 06:07 <DIR> d-------- D:\Program Files\DOSBox-0.72
2008-10-01 02:05 . 2003-02-19 15:06 438,272 --a------ D:\WINDOWS\system32\cmcs21.ocx
2008-10-01 02:05 . 2003-02-19 15:07 303,104 --a------ D:\WINDOWS\system32\cmcs21.dll
2008-10-01 02:05 . 2004-02-08 19:55 180,132 --a------ D:\WINDOWS\system32\GDIPlus.tlb
2008-10-01 01:43 . 2008-10-01 01:43 <DIR> d--h----- D:\WINDOWS\PIF
2008-09-29 12:57 . 2008-09-29 13:34 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\LimeWire
2008-09-29 12:56 . 2008-09-29 12:57 <DIR> d-------- D:\Program Files\LimeWire
2008-09-29 12:38 . 2008-09-29 12:38 <DIR> d-------- D:\Program Files\CDBurnerXP Pro 3
2008-09-29 12:04 . 2008-09-29 12:04 <DIR> d-------- D:\Documents and Settings\Occamsspork\Application Data\ImgBurn
2008-09-29 12:02 . 2008-09-29 12:02 <DIR> d-------- D:\Program Files\ImgBurn
2008-09-29 07:32 . 2003-03-02 17:44 7,552 --a------ D:\WINDOWS\system32\drivers\enodpl.sys
2008-09-29 07:32 . 2003-04-19 00:32 4,736 --a------ D:\WINDOWS\system32\drivers\tandpl.sys
2008-09-28 05:50 . 2008-10-14 14:55 <DIR> d-------- D:\hjt
2008-09-27 12:38 . 2008-10-09 02:58 347 --a------ D:\WINDOWS\Warpath.ini
2008-09-27 01:55 . 2008-09-27 02:04 536 --a------ D:\WINDOWS\eReg.dat
2008-09-20 06:38 . 2008-09-20 06:43 <DIR> d--h----- D:\Program Files\InstallJammer Registry
2008-09-15 04:10 . 2008-09-15 04:10 <DIR> d-------- D:\Program Files\Outsim
2008-09-15 04:10 . 2002-07-07 18:14 1,294,336 --a------ D:\WINDOWS\system32\vorbis.acm
2008-09-15 04:09 . 2008-09-15 04:10 <DIR> d-------- D:\Program Files\Image-Line

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-12 10:45 --------- d-----w D:\Program Files\VideoLAN
2008-10-10 15:01 43,520 ----a-w D:\WINDOWS\system32\CmdLineExt03.dll
2008-10-08 15:04 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\uTorrent
2008-09-29 11:30 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-09-15 12:12 1,846,400 ----a-w D:\WINDOWS\system32\win32k.sys
2008-09-12 07:27 --------- d-----w D:\Program Files\Advanced GIF Animator
2008-09-10 10:16 --------- d-----w D:\Program Files\hoversnap
2008-09-08 10:41 333,824 ----a-w D:\WINDOWS\system32\drivers\srv.sys
2008-09-05 06:05 --------- d-----w D:\Program Files\DAEMON Tools Lite
2008-09-05 06:00 717,296 ----a-w D:\WINDOWS\system32\drivers\sptd.sys
2008-09-05 06:00 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\DAEMON Tools
2008-09-02 21:57 --------- d-----w D:\Program Files\Sierra On-Line
2008-09-02 19:55 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-02 19:53 --------- d-----w D:\Program Files\Lavasoft
2008-09-02 19:52 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-08-30 23:17 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\GetRightToGo
2008-08-28 13:52 --------- d-----w D:\Program Files\Foxit Software
2008-08-25 13:15 --------- d-----w D:\Program Files\Java
2008-08-25 13:14 --------- d-----w D:\Program Files\Common Files\Java
2008-08-22 08:32 --------- d-----w D:\Program Files\Avernum 2
2008-08-22 07:47 --------- d-----w D:\Program Files\CCleaner
2008-08-21 12:13 --------- d-----w D:\Documents and Settings\All Users\Application Data\Saitek
2008-08-20 18:43 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\U3
2008-08-20 15:46 --------- d-----w D:\Program Files\7-Zip
2008-08-20 05:30 666,112 ----a-w D:\WINDOWS\system32\wininet.dll
2008-08-19 17:36 --------- d-----w D:\Program Files\uTorrent
2008-08-19 16:08 --------- d-----w D:\Program Files\Bethesda Softworks
2008-08-19 15:45 --------- d-----w D:\Program Files\Marvell
2008-08-19 15:44 --------- d-----w D:\Program Files\Common Files\InstallShield
2008-08-19 15:09 --------- d-----w D:\Program Files\SpywareBlaster
2008-08-19 15:07 --------- d-----w D:\Documents and Settings\All Users\Application Data\TEMP
2008-08-19 15:06 --------- d-----w D:\Documents and Settings\All Users\Application Data\comodo
2008-08-19 15:03 87,056 ----a-w D:\WINDOWS\system32\drivers\cmdguard.sys
2008-08-19 15:03 24,208 ----a-w D:\WINDOWS\system32\drivers\cmdhlp.sys
2008-08-19 15:03 143,104 ----a-w D:\WINDOWS\system32\guard32.dll
2008-08-19 15:03 --------- d-----w D:\Program Files\COMODO
2008-08-19 15:03 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\Comodo
2008-08-19 06:30 --------- d-----w D:\Program Files\Realtek
2008-08-19 06:27 --------- d-----w D:\Program Files\Intel
2008-08-19 06:18 --------- d-----w D:\Program Files\Ray Adams
2008-08-19 06:18 --------- d-----w D:\Documents and Settings\Occamsspork\Application Data\atitray
2008-08-19 01:22 --------- d-----w D:\Program Files\microsoft frontpage
2008-08-14 10:09 2,145,280 ----a-w D:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w D:\WINDOWS\system32\ntkrnlpa.exe
2008-08-06 21:27 3,520,552 ----a-w D:\WINDOWS\procexp.exe
2008-07-31 14:41 68,616 ----a-w D:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 14:41 238,088 ----a-w D:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 14:40 509,448 ----a-w D:\WINDOWS\system32\XAudio2_2.dll
2008-07-19 02:10 94,920 ----a-w D:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w D:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w D:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w D:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w D:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w D:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w D:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w D:\WINDOWS\system32\wuaueng.dll
.

((((((((((((((((((((((((((((( [email protected]_14.46.49.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-20 04:58:54 3,067,904 ----a-w D:\WINDOWS\$hf_mig$\KB956390\SP3QFE\mshtml.dll
+ 2008-08-20 04:58:47 1,499,136 ----a-w D:\WINDOWS\$hf_mig$\KB956390\SP3QFE\shdocvw.dll
+ 2008-08-20 04:58:50 620,032 ----a-w D:\WINDOWS\$hf_mig$\KB956390\SP3QFE\urlmon.dll
+ 2008-08-20 04:58:48 666,624 ----a-w D:\WINDOWS\$hf_mig$\KB956390\SP3QFE\wininet.dll
+ 2007-11-30 11:18:51 17,272 ----a-w D:\WINDOWS\$hf_mig$\KB956390\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w D:\WINDOWS\$hf_mig$\KB956390\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w D:\WINDOWS\$hf_mig$\KB956390\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w D:\WINDOWS\$hf_mig$\KB956390\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w D:\WINDOWS\$hf_mig$\KB956390\update\updspapi.dll
+ 2008-08-14 10:09:26 2,145,280 ------w D:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe
+ 2008-08-14 09:33:16 2,066,048 ------w D:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
+ 2008-08-14 09:33:16 2,023,936 ------w D:\WINDOWS\Driver Cache\i386\ntkrpamp.exe
+ 2008-08-14 10:11:02 2,189,184 ------w D:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
+ 2005-10-21 00:02:28 163,328 ----a-w D:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2008-06-20 11:40:08 138,496 -c----w D:\WINDOWS\system32\dllcache\afd.sys
+ 2008-08-14 10:04:36 138,496 -c----w D:\WINDOWS\system32\dllcache\afd.sys
- 2008-06-23 15:09:27 3,067,392 -c----w D:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-08-20 05:30:53 3,067,904 -c----w D:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-06-26 08:15:29 1,499,136 -c----w D:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-08-20 05:30:51 1,499,136 -c----w D:\WINDOWS\system32\dllcache\shdocvw.dll
- 2008-06-26 08:15:30 619,520 -c----w D:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-08-20 05:30:52 619,520 -c----w D:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-06-23 15:09:27 666,112 -c----w D:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-08-20 05:30:51 666,112 -c----w D:\WINDOWS\system32\dllcache\wininet.dll
- 2008-06-20 11:40:08 138,496 ----a-w D:\WINDOWS\system32\drivers\afd.sys
+ 2008-08-14 10:04:36 138,496 ----a-w D:\WINDOWS\system32\drivers\afd.sys
- 2008-09-05 07:05:29 91,888 ----a-w D:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-10-15 13:31:21 91,888 ----a-w D:\WINDOWS\system32\FNTCACHE.DAT
- 2008-08-26 20:28:12 16,208,504 ----a-w D:\WINDOWS\system32\MRT.exe
+ 2008-10-07 19:19:40 16,721,856 ----a-w D:\WINDOWS\system32\MRT.exe
- 2008-06-23 15:09:27 3,067,392 ----a-w D:\WINDOWS\system32\mshtml.dll
+ 2008-08-20 05:30:53 3,067,904 ----a-w D:\WINDOWS\system32\mshtml.dll
- 2008-06-26 08:15:29 1,499,136 ----a-w D:\WINDOWS\system32\shdocvw.dll
+ 2008-08-20 05:30:51 1,499,136 ----a-w D:\WINDOWS\system32\shdocvw.dll
- 2007-11-30 12:39:22 17,272 ------w D:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w D:\WINDOWS\system32\spmsg.dll
- 2008-06-26 08:15:30 619,520 ----a-w D:\WINDOWS\system32\urlmon.dll
+ 2008-08-20 05:30:52 619,520 ----a-w D:\WINDOWS\system32\urlmon.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiTrayTools"="D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe" [2007-05-22 521128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"COMODO Firewall Pro"="D:\Program Files\COMODO\Firewall\cfp.exe" [2008-08-19 1655552]
"avgnt"="D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 D:\WINDOWS\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= D:\WINDOWS\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\WINDOWS\\system32\\mmc.exe"=
"D:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 atitray;atitray;D:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys [2007-05-22 18088]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;D:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-08-19 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;D:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-08-19 24208]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-15 19:29:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\COMODO\Firewall\cmdagent.exe
D:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-15 19:30:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-15 23:30:43
ComboFix2.txt 2008-10-14 18:47:00

Pre-Run: 19,605,975,040 bytes free
Post-Run: 19,551,051,776 bytes free

209 --- E O F --- 2008-10-15 13:28:03

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:16 PM, on 10/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\COMODO\Firewall\cfp.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\COMODO\Firewall\cmdagent.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\hjt\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [AtiTrayTools] "D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: D:\WINDOWS\system32\guard32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - D:\Program Files\COMODO\Firewall\cmdagent.exe

--
End of file - 3007 bytes
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
The P2P programs you have installed expose you to risks because of the nature of the P2P file sharing process. File sharing/P2P programs rely on members giving and gaining unrestricted access to computers across the P2P network. This practice can make you vulnerable to data and identity theft. It also exposes you to very malicious worms and trojans. You change those risky default settings to a safer configuration but the act of downloading files from an anonymous source greatly increases your exposure to infection.



Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*]Archives
      [*]Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
 

occamsspork

Thread Starter
Joined
Sep 28, 2008
Messages
16
Hmmm. The kaspersky report came back clean, and I've known the kaspersky online test to find all kinds of things regular AV\antispyware programs miss, so I'm thinking MWB and NOD got rid of whatever it was.

The computer is working normally now, I guess the slowdown was caused by a hiccup in my ISP or some sort of conflict somewhere. I'll look into it.

As for the P2P apps, I rarely use them (and I'll probably just get rid of limewire, the last few times it seemed completely infested with malware and viruses) and BT I only use for legit purposes, such as old abandonware DOS games, Linux distros or other things in the public domain.

Anyway, thanks for all your help! You'll probably see me around the forums here and there, but I don't post much on any message board, I prefer to just lurk unless I have something worthwhile to say.

Thanks again, should I mark this solved?
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Yes, feel free to mark it solved. :)

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

That will remove Combofix and any folders it created.

You're welcome!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top