Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Computer infected - not sure which viruses specifically


  • Please log in to reply

#31
CWeezy2424

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Ron,

Re-ran TDSSKiller - no infection found.

For sound - I followed your steps - the following subitems were listed under sound, video and game controllers:
-Audio Codecs
-Legacy Audio Drivers
-Legacy Video Capture Devices
-Media Control Devices
-SoundMAX Integrated Digital Audio
-Video Codecs

When I right click each item, the only one that has UNINSTALL as an option is "SoundMAX Integrated Digital Audio". Should I proceed with uninstall?

Going to re-run ComboFix now...

How do I get Avast 5.0?

Thanks for the update on SP3 - did not know that. Once we finish I will download it.

So now I am re running ComboFix and will post my log. In the meantime, I will await the answers to the 2 questions above. Thanks so much for your help I can definitely see an improvement.
  • 0

Advertisements


#32
CWeezy2424

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
ComboFix Log:

ComboFix 10-07-27.02 - asli 07/27/2010 23:47:40.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.320 [GMT -4:00]
Running from: c:\documents and settings\asli\Desktop\george.exe
AV: avast! antivirus 4.7.1098 [VPS 100727-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
.

2010-07-17 01:38 . 2010-07-17 01:38 -------- d-----w- C:\_OTL
2010-07-16 04:35 . 2010-07-16 04:35 -------- d-----w- c:\program files\ERUNT
2010-07-15 23:03 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-15 23:03 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-15 22:28 . 2010-07-15 22:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-13 00:27 . 2010-07-13 00:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-13 00:27 . 2010-07-13 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-07-13 00:24 . 2010-07-13 00:24 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-08 23:54 . 2010-07-13 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 03:25 . 2008-01-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2010-07-17 01:35 . 2008-01-16 19:45 -------- d-----w- c:\program files\Java
2010-07-16 00:48 . 2008-02-19 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-13 00:27 . 2009-08-28 22:51 -------- d-----w- c:\documents and settings\asli\Application Data\uTorrent
2010-07-09 00:38 . 2009-01-28 19:35 256 ----a-w- c:\windows\system32\pool.bin
2010-06-24 22:28 . 2008-07-31 19:15 -------- d-----w- c:\program files\McAfee
2010-06-14 14:30 . 2007-09-11 04:46 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-06 10:41 . 2004-08-04 13:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56 . 2004-08-04 13:00 1850880 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( [email protected]_23.09.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-28 03:22 . 2010-07-28 03:22 16384 c:\windows\Temp\Perflib_Perfdata_5e4.dat
+ 2007-09-11 04:46 . 2010-06-14 14:30 743936 c:\windows\system32\dllcache\helpsvc.exe
- 2007-09-11 04:46 . 2004-08-04 13:00 743936 c:\windows\system32\dllcache\helpsvc.exe
+ 2008-01-29 18:18 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-18 2002160]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-07 159744]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 88363]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-07 4730880]
"nwiz"="nwiz.exe" [2004-04-07 323584]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2006-02-10 278528]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2006-07-14 106496]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\asli\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-28 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-12-18 00:50 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/31/2008 3:15 PM 93320]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/29/2008 3:23 PM 24652]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]
S2 mrtRate;mrtRate; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - klmd24
.
Contents of the 'Scheduled Tasks' folder

2010-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\asli\Application Data\Mozilla\Firefox\Profiles\nzlasclv.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0yahoo&bm=yh_home
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-27 23:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????8?2?0?5??P???? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2396)
c:\windows\system32\WININET.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-07-27 23:54:48
ComboFix-quarantined-files.txt 2010-07-28 03:54
ComboFix2.txt 2010-07-26 23:12

Pre-Run: 31,640,150,016 bytes free
Post-Run: 31,618,572,288 bytes free

- - End Of File - - E7F7F9E0DBEE635175C19D712CCCBEE3
  • 0

#33
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,362 posts
  • MVP
Proceed with the uninstall. It will probably take the others with it. Windows will discover them on the next boot and reinstall the drivers. Sometimes we get lucky and that fixes it.

The free home version of Avast 5 is available at http://www.avast.com...avast-home.html

If combofix is now running fairly quickly again try dragging the script over to it and letting go. (Pause the antivirus first). Let's see if it will take the CFScript now.
  • 0

#34
CWeezy2424

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Ron,

Uninstalled the audio driver, and then proceeded with the combofix instruction. See log below. It required a reboot within combofix, and upon the reboot, sound was restored!!! So far you are a miracleworker!!!!!

ComboFix 10-07-27.02 - asli 07/28/2010 0:16.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.247 [GMT -4:00]
Running from: c:\documents and settings\asli\Desktop\george.exe
Command switches used :: c:\documents and settings\asli\Desktop\CFScript.txt
AV: avast! antivirus 4.7.1098 [VPS 100727-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\system32\drivers\nmuhqjp.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MRTRATE
-------\Service_mrtRate


((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
.

2010-07-17 01:38 . 2010-07-17 01:38 -------- d-----w- C:\_OTL
2010-07-16 04:35 . 2010-07-16 04:35 -------- d-----w- c:\program files\ERUNT
2010-07-15 23:03 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-15 23:03 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-15 22:28 . 2010-07-15 22:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-13 00:27 . 2010-07-13 00:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-13 00:27 . 2010-07-13 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-07-13 00:24 . 2010-07-13 00:24 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-08 23:54 . 2010-07-13 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 04:26 . 2008-01-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2010-07-17 01:35 . 2008-01-16 19:45 -------- d-----w- c:\program files\Java
2010-07-16 00:48 . 2008-02-19 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-13 00:27 . 2009-08-28 22:51 -------- d-----w- c:\documents and settings\asli\Application Data\uTorrent
2010-07-09 00:38 . 2009-01-28 19:35 256 ----a-w- c:\windows\system32\pool.bin
2010-06-24 22:28 . 2008-07-31 19:15 -------- d-----w- c:\program files\McAfee
2010-06-14 14:30 . 2007-09-11 04:46 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-06 10:41 . 2004-08-04 13:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56 . 2004-08-04 13:00 1850880 ----a-w- c:\windows\system32\win32k.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----


---- Directory of c:\program files\Common ----



((((((((((((((((((((((((((((( [email protected]_23.09.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-28 04:23 . 2010-07-28 04:23 16384 c:\windows\temp\Perflib_Perfdata_5ec.dat
+ 2007-09-11 04:46 . 2010-06-14 14:30 743936 c:\windows\system32\dllcache\helpsvc.exe
- 2007-09-11 04:46 . 2004-08-04 13:00 743936 c:\windows\system32\dllcache\helpsvc.exe
+ 2008-01-29 18:18 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-18 2002160]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-07 159744]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 88363]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-07 4730880]
"nwiz"="nwiz.exe" [2004-04-07 323584]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2006-02-10 278528]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2006-07-14 106496]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\asli\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-28 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-12-18 00:50 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/31/2008 3:15 PM 93320]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/29/2008 3:23 PM 24652]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]
.
Contents of the 'Scheduled Tasks' folder

2010-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\asli\Application Data\Mozilla\Firefox\Profiles\nzlasclv.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0yahoo&bm=yh_home
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-28 00:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3288)
c:\windows\system32\WININET.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\AGRSMMSG.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\SpywareGuard\sgbhp.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-28 00:31:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-28 04:31
ComboFix2.txt 2010-07-28 03:54
ComboFix3.txt 2010-07-26 23:12

Pre-Run: 31,610,482,688 bytes free
Post-Run: 31,542,820,864 bytes free

- - End Of File - - 8F78EA5CEA843520A5016BC40E1BF1AB


What do you need me to do next?
  • 0

#35
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,362 posts
  • MVP
Is it still slow?

Run the BitDefender free online scan

http://www.bitdefend...nline/free.html

Close all programs and browsers except for one IE or Firefox and go to the above link. Follow the instructions.

Copy and paste the report you get into a reply.

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, but don't restart yet.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. (In Vista, next select Windows Logs) Right click on System and Clear Log, No (we don't want to save the old log), OK. Repeat for Application. Reboot. The disk check will run and will probably take an hour or more to finish.

Start, Run, sfc /scannow, OK

SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.

Start, Run, sigverif, OK

Press Start. This will check your drivers. If you just get a few when it finishes tell me what they are. If you get a lot just look for those with newish dates (since about the time the problem started.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron
  • 0

#36
CWeezy2424

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
[BitDefender Online Scanner



Scan report generated at: Thu, Jul 29, 2010 - 01:00:32





Scan path: C:\;D:\;







Statistics

Time
00:56:55

Files
159407

Folders
9524

Boot Sectors
0

Archives
1858

Packed Files
10209




Results

Identified Viruses
3

Infected Files
9

Suspect Files
0

Warnings
0

Disinfected
2

Deleted Files
7




Engines Info

Virus Definitions
6192468

Engine build
AVCORE v2.1 Windows/i386 11.0.0.33 (Jun 18 2010)

Scan plugins
18

Archive plugins
44

Unpack plugins
10

E-mail plugins
6

System plugins
4




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\All Users\Application Data\InstallShield\UpdateService\Database\CERE.tmp
Infected with: Trojan.FakeAV.KZQ

C:\Documents and Settings\All Users\Application Data\InstallShield\UpdateService\Database\CERE.tmp
Deleted

C:\Documents and Settings\asli\Local Settings\temp\27e9cbaa.exe
Infected with: Trojan.Generic.KD.23138

C:\Documents and Settings\asli\Local Settings\temp\27e9cbaa.exe
Deleted

C:\Documents and Settings\asli\Local Settings\Temporary Internet Files\Content.IE5\3CD81K0T\ig[1]
Infected with: Trojan.FakeAV.KZQ

C:\Documents and Settings\asli\Local Settings\Temporary Internet Files\Content.IE5\3CD81K0T\ig[1]
Deleted

C:\Documents and Settings\asli\Local Settings\Temporary Internet Files\Content.IE5\3CD81K0T\toolbarcfg2[1].xml
Infected with: Trojan.FakeAV.KZQ

C:\Documents and Settings\asli\Local Settings\Temporary Internet Files\Content.IE5\3CD81K0T\toolbarcfg2[1].xml
Deleted

C:\Documents and Settings\asli\Local Settings\Temporary Internet Files\Content.IE5\RA2BVN3F\ESPNMotionXMLv4[2]
Infected with: Trojan.FakeAV.KZQ

C:\Documents and Settings\asli\Local Settings\Temporary Internet Files\Content.IE5\RA2BVN3F\ESPNMotionXMLv4[2]
Deleted

C:\Documents and Settings\asli\Local Settings\Temporary Internet Files\Content.IE5\WK9T4XZP\autoupdate[1].xml
Infected with: Trojan.FakeAV.KZQ

C:\Documents and Settings\asli\Local Settings\Temporary Internet Files\Content.IE5\WK9T4XZP\autoupdate[1].xml
Deleted

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\atapi.sys.vir
Infected with: Rootkit.Patched.TDSS.Gen

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\atapi.sys.vir
Disinfected

C:\System Volume Information\_restore{D5E2886E-2E86-48C7-B071-C7ED9E505E6A}\RP3\A0006217.sys
Infected with: Rootkit.Patched.TDSS.Gen

C:\System Volume Information\_restore{D5E2886E-2E86-48C7-B071-C7ED9E505E6A}\RP3\A0006217.sys
Disinfected

C:\System Volume Information\_restore{D5E2886E-2E86-48C7-B071-C7ED9E505E6A}\RP6\A0011511.exe
Infected with: Trojan.Generic.KD.23138

C:\System Volume Information\_restore{D5E2886E-2E86-48C7-B071-C7ED9E505E6A}\RP6\A0011511.exe
Deleted







Next steps to follow...
  • 0

#37
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,362 posts
  • MVP
1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, but don't restart yet.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. (In Vista, next select Windows Logs) Right click on System and Clear Log, No (we don't want to save the old log), OK. Repeat for Application. Reboot. The disk check will run and will probably take an hour or more to finish.

Start, Run, sfc /scannow, OK

SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.

Start, Run, sigverif, OK

Press Start. This will check your drivers. If you just get a few when it finishes tell me what they are. If you get a lot just look for those with newish dates (since about the time the problem started.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron
  • 0

#38
CWeezy2424

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Ron,

Wouldn't let me "clear log", instead the only available option was "clear all events". Think this is the same so I did that instead. Going to restart and allow error check to proceed now. Will post log when it completes...
  • 0

#39
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,362 posts
  • MVP
You're correct. Sorry about that.
  • 0

#40
CWeezy2424

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
No problem.

I went ahead with error checking - it was on stage 5/5 at like 30% done when I had to leave to run an errand - when I came back, there was no error log on screen and my computer was at the home screen - was there supposed to be a log??? Is there anywhere I can get it?
  • 0

Advertisements


#41
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,362 posts
  • MVP
There may be something in the event logs about the Disk Check but we don't really need the log. The main thing is that the program has done its thing.

Ron
  • 0

#42
CWeezy2424

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Ron,

For the following instructions:

"Start, Run, sfc /scannow, OK

SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP"

I am not able to proceed. It says "Files that are required for Windows to run properly must be copied to the DLL Cache. Insert your Windows Service Pack 2 CD now".

I do not have it, so I hit "cancel". It then says "If you cancel, Windows might require you to insert a CD later. Are you sure you want to skip this file?" I hit "Yes", and it just goes back to "Files that are required for Windows to run properly must be copied to the DLL Cache...." and it just keeps going back and forth. What do you advise?

(I do not have the SP2 CD, I installed it thru a Windows update)
  • 0

#43
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,362 posts
  • MVP
See the advice in:
http://www.updatexp....cannow-sfc.html

Alternatively you could just update to SP3 which is where you should be anyway.
  • 0

#44
CWeezy2424

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Installing SP3 now....what should I do next?
  • 0

#45
CWeezy2424

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Also will note that I installed Avast 5.0 ....
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP