[Dakeyras]

Hi.

Forgot to mention that ERUNT is still installed on the computer. Any changes to the process?

Still trying to figure how to do the "quote box" you do in your posts.

Good, I merely use quote tags with a forum editing application for the most part as I provide assistance in several other forums as well as here in GTG. Mainly because it saves myself having to sign in until I am ready to post a reply etc. Though you can just as easy use the inbuilt forum tools for doing such. If you look here and expand the Posting option it will explain about the aforementioned.

I attempted to enable System Restore, but found it was already enabled. Strange, because yesterday it was disabled. Created a new restore point anyway per your directions.

Also made a new backup of the registry.

All good.

Reset SP3 Firewall:

Click on Start >> Run... and cut/paste in the following and click on OK

firewall.cpl

Click on the Advanced tab >> Restore Defaults >> At the prompt click on Yes >> OK

Now click on the General tab >> select Off(not recommended) >> OK.

Note: No need for it to be active after the reset because you have the Sunbelt Personal Firewall installed..

MSConfig Advice:

Personally I do not think it wise to use the System Configuration Utility unless you know exactly what your are doing as otherwise serious problems may arise.

I advise you consider this application to use instead, it will also provide a extra layer of system protection via its monitoring activities.

WinPatrol:

Download it from here

You can find information about how WinPatrol works here

Note: Do not download/install just yet as it may hinder the malware removal process but by all means do so when I give the all clear if you so wish.

Custom ComboFix-Script:

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

File::
c:\documents and settings\All Users\Application Data\iKjFoPc06300

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis True Image Monitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C40 Series]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PhotoshopElementsDeviceConnect"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

Caution: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.If that happened we want to know, and also what process you had to end.

[Advertisements]

Found the Quote info and have played with it in the past - just can't get it to work for me. Not sure if you're suppose to highlight the text and then select quote ( which doesn't work for me), or select Quote Reply before selecting Add Reply (also doesn't work). I can figure out some complex things at times, but this has me stumped...? Just not intuitive I guess.

Anyway, on to the repair - here's the log file after running ComboFix with the custom script. BTW, after launching ComboFix it asked if I wanted to download and use a newer version than the one I have, and I responded with no as I wasn't sure if the custom script was specific to the older version I have used.

ComboFix 11-03-12.01 - PJ 03/14/2011 15:46:17.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1588 [GMT -4:00]
Running from: c:\documents and settings\PJ\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\PJ\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Personal Firewall *Enabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}
.
FILE ::
"c:\documents and settings\All Users\Application Data\iKjFoPc06300"
.
.
((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
.
.
2011-03-12 18:25 . 2011-03-12 18:25 -------- d-----w- C:\_OTL
2011-03-08 03:02 . 2011-03-11 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\iKjFoPc06300
2011-02-26 17:11 . 2011-02-26 17:11 -------- d-----w- c:\documents and settings\PJ\Local Settings\Application Data\Xenocode
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 11:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 11:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-04 11:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 11:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-13 08:47 . 2010-09-10 17:11 38848 ----a-w- c:\windows\avastSS.scr
2011-01-13 08:47 . 2010-09-10 17:11 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2010-09-10 17:11 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2010-09-10 17:11 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:40 . 2010-09-10 17:11 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-13 08:39 . 2010-09-10 17:11 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-13 08:37 . 2010-09-10 17:11 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2010-09-10 17:11 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-13 08:37 . 2010-09-10 17:11 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-01-07 14:09 . 2004-08-04 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 11:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:09 . 2010-08-20 19:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2004-08-04 11:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08 . 2004-08-04 11:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 23:08 . 2010-08-20 19:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-04 11:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 11:00 389120 ----a-w- c:\windows\system32\html.iec
2010-02-25 22:56 . 2010-02-25 22:55 98181416 ----a-w- c:\program files\iTunesSetup.exe
2009-11-13 02:15 . 2009-11-13 02:15 4938616 ----a-w- c:\program files\Silverlight.exe
2009-11-05 16:12 . 2009-11-05 16:12 3218761 ----a-w- c:\program files\SetupSureCutsALot_2_005.exe
2008-06-29 18:12 . 2008-06-29 18:12 16535022 ----a-w- c:\program files\CDSInstaller.exe
2003-08-27 19:19 . 2005-03-26 16:56 36963 ------w- c:\program files\Common Files\SM1updtr.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-17 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-02-05 180269]
"BigDogPath"="c:\windows\VM_STI.EXE" [2005-02-28 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-11-29 221295]
NaturalColorLoad.lnk - c:\program files\SEC\Natural Color\NaturalColorLoad.exe [2005-11-25 155715]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
backup=c:\windows\pss\Device Detector 2.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^PJ^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis True Image Monitor]
2005-12-27 15:32 988736 ----a-w- c:\program files\Acronis\TrueImage\TrueImageMonitor.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [9/10/2010 1:11 PM 294608]
R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\SYSTEM32\DRIVERS\eusk2par.sys [12/15/2007 8:02 PM 24786]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 SbFw;SbFw;c:\windows\SYSTEM32\DRIVERS\SbFw.sys [9/10/2010 1:18 PM 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\SYSTEM32\DRIVERS\sbhips.sys [6/21/2008 4:54 AM 66600]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [9/10/2010 1:11 PM 17744]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [10/31/2008 7:24 AM 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [10/31/2008 7:24 AM 1365288]
R3 EUCR;ENE USB Mass Storage;c:\windows\SYSTEM32\DRIVERS\EUCR6SK.sys [2/13/2006 2:23 PM 42240]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\SYSTEM32\DRIVERS\SbFwIm.sys [9/10/2010 1:18 PM 65576]
S2 gupdate1c9b1b792ea9b30;Google Update Service (gupdate1c9b1b792ea9b30);c:\program files\Google\Update\GoogleUpdate.exe [3/31/2009 12:16 AM 133104]
S3 epppdt;EPSON 1394.3 Class;c:\windows\SYSTEM32\DRIVERS\epppdt.sys [6/18/2006 5:41 PM 31269]
S3 epppdtpr;EPSON 1394.3 Printer Class;c:\windows\SYSTEM32\DRIVERS\epppdtpr.sys [6/18/2006 5:41 PM 14457]
S3 eusk3usb;SmartKey 3 USB;c:\windows\SYSTEM32\DRIVERS\eusk3usb.sys [12/15/2007 8:02 PM 45534]
S3 OlyCamComm;OLYMPUS USB Communication Device;c:\windows\SYSTEM32\DRIVERS\OlyCamComm.sys [12/9/2010 9:48 PM 21648]
S3 SPCP825K;Sunplus Serial port driver;c:\windows\system32\DRIVERS\SPCP825K.sys --> c:\windows\system32\DRIVERS\SPCP825K.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-14 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]
.
2011-03-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-17 03:23]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-31 04:15]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-31 04:15]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java
DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} - hxxp://www.docs.co.clay.mn.us/AppXtender/client/IrcViewer.cab
DPF: {89F1C7A1-B54C-406D-8CD6-901D277F6388} - hxxp://www.docs.co.clay.mn.us/AppXtender/client/IrcResultSet.cab
FF - ProfilePath - c:\documents and settings\PJ\Application Data\Mozilla\Firefox\Profiles\rj0t53qj.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 15:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2\Parameters]
@DACL=(02 0000)
@SACL=
"WinSock_Registry_Version"="2.0"
"Current_NameSpace_Catalog"="NameSpace_Catalog5"
"Current_Protocol_Catalog"="Protocol_Catalog9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1244)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3972)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-14 15:59:04
ComboFix-quarantined-files.txt 2011-03-14 19:58
ComboFix2.txt 2011-03-13 18:07
.
Pre-Run: 5,341,315,072 bytes free
Post-Run: 5,331,189,760 bytes free
.
- - End Of File - - D276BADCB254C657BC35D8F70EF335DE

[scewter]

Found the Quote info and have played with it in the past - just can't get it to work for me. Not sure if you're suppose to highlight the text and then select quote ( which doesn't work for me), or select Quote Reply before selecting Add Reply (also doesn't work). I can figure out some complex things at times, but this has me stumped...? Just not intuitive I guess.

Anyway, on to the repair - here's the log file after running ComboFix with the custom script. BTW, after launching ComboFix it asked if I wanted to download and use a newer version than the one I have, and I responded with no as I wasn't sure if the custom script was specific to the older version I have used.

ComboFix 11-03-12.01 - PJ 03/14/2011 15:46:17.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1588 [GMT -4:00]
Running from: c:\documents and settings\PJ\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\PJ\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Personal Firewall *Enabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}
.
FILE ::
"c:\documents and settings\All Users\Application Data\iKjFoPc06300"
.
.
((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
.
.
2011-03-12 18:25 . 2011-03-12 18:25 -------- d-----w- C:\_OTL
2011-03-08 03:02 . 2011-03-11 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\iKjFoPc06300
2011-02-26 17:11 . 2011-02-26 17:11 -------- d-----w- c:\documents and settings\PJ\Local Settings\Application Data\Xenocode
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 11:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 11:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-04 11:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 11:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-13 08:47 . 2010-09-10 17:11 38848 ----a-w- c:\windows\avastSS.scr
2011-01-13 08:47 . 2010-09-10 17:11 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2010-09-10 17:11 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2010-09-10 17:11 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:40 . 2010-09-10 17:11 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-13 08:39 . 2010-09-10 17:11 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-13 08:37 . 2010-09-10 17:11 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2010-09-10 17:11 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-13 08:37 . 2010-09-10 17:11 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-01-07 14:09 . 2004-08-04 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 11:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:09 . 2010-08-20 19:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2004-08-04 11:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08 . 2004-08-04 11:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 23:08 . 2010-08-20 19:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-04 11:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 11:00 389120 ----a-w- c:\windows\system32\html.iec
2010-02-25 22:56 . 2010-02-25 22:55 98181416 ----a-w- c:\program files\iTunesSetup.exe
2009-11-13 02:15 . 2009-11-13 02:15 4938616 ----a-w- c:\program files\Silverlight.exe
2009-11-05 16:12 . 2009-11-05 16:12 3218761 ----a-w- c:\program files\SetupSureCutsALot_2_005.exe
2008-06-29 18:12 . 2008-06-29 18:12 16535022 ----a-w- c:\program files\CDSInstaller.exe
2003-08-27 19:19 . 2005-03-26 16:56 36963 ------w- c:\program files\Common Files\SM1updtr.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-17 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-02-05 180269]
"BigDogPath"="c:\windows\VM_STI.EXE" [2005-02-28 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-11-29 221295]
NaturalColorLoad.lnk - c:\program files\SEC\Natural Color\NaturalColorLoad.exe [2005-11-25 155715]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
backup=c:\windows\pss\Device Detector 2.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^PJ^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis True Image Monitor]
2005-12-27 15:32 988736 ----a-w- c:\program files\Acronis\TrueImage\TrueImageMonitor.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [9/10/2010 1:11 PM 294608]
R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\SYSTEM32\DRIVERS\eusk2par.sys [12/15/2007 8:02 PM 24786]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 SbFw;SbFw;c:\windows\SYSTEM32\DRIVERS\SbFw.sys [9/10/2010 1:18 PM 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\SYSTEM32\DRIVERS\sbhips.sys [6/21/2008 4:54 AM 66600]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [9/10/2010 1:11 PM 17744]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [10/31/2008 7:24 AM 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [10/31/2008 7:24 AM 1365288]
R3 EUCR;ENE USB Mass Storage;c:\windows\SYSTEM32\DRIVERS\EUCR6SK.sys [2/13/2006 2:23 PM 42240]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\SYSTEM32\DRIVERS\SbFwIm.sys [9/10/2010 1:18 PM 65576]
S2 gupdate1c9b1b792ea9b30;Google Update Service (gupdate1c9b1b792ea9b30);c:\program files\Google\Update\GoogleUpdate.exe [3/31/2009 12:16 AM 133104]
S3 epppdt;EPSON 1394.3 Class;c:\windows\SYSTEM32\DRIVERS\epppdt.sys [6/18/2006 5:41 PM 31269]
S3 epppdtpr;EPSON 1394.3 Printer Class;c:\windows\SYSTEM32\DRIVERS\epppdtpr.sys [6/18/2006 5:41 PM 14457]
S3 eusk3usb;SmartKey 3 USB;c:\windows\SYSTEM32\DRIVERS\eusk3usb.sys [12/15/2007 8:02 PM 45534]
S3 OlyCamComm;OLYMPUS USB Communication Device;c:\windows\SYSTEM32\DRIVERS\OlyCamComm.sys [12/9/2010 9:48 PM 21648]
S3 SPCP825K;Sunplus Serial port driver;c:\windows\system32\DRIVERS\SPCP825K.sys --> c:\windows\system32\DRIVERS\SPCP825K.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-14 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]
.
2011-03-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-17 03:23]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-31 04:15]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-31 04:15]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java
DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} - hxxp://www.docs.co.clay.mn.us/AppXtender/client/IrcViewer.cab
DPF: {89F1C7A1-B54C-406D-8CD6-901D277F6388} - hxxp://www.docs.co.clay.mn.us/AppXtender/client/IrcResultSet.cab
FF - ProfilePath - c:\documents and settings\PJ\Application Data\Mozilla\Firefox\Profiles\rj0t53qj.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 15:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2\Parameters]
@DACL=(02 0000)
@SACL=
"WinSock_Registry_Version"="2.0"
"Current_NameSpace_Catalog"="NameSpace_Catalog5"
"Current_Protocol_Catalog"="Protocol_Catalog9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1244)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3972)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-14 15:59:04
ComboFix-quarantined-files.txt 2011-03-14 19:58
ComboFix2.txt 2011-03-13 18:07
.
Pre-Run: 5,341,315,072 bytes free
Post-Run: 5,331,189,760 bytes free
.
- - End Of File - - D276BADCB254C657BC35D8F70EF335DE

[Dakeyras]

Hi.

Found the Quote info and have played with it in the past - just can't get it to work for me. Not sure if you're suppose to highlight the text and then select quote ( which doesn't work for me), or select Quote Reply before selecting Add Reply (also doesn't work). I can figure out some complex things at times, but this has me stumped...? Just not intuitive I guess.

I usually just cut n paste what I wish to quote then include the quote tags etc.

Anyway, on to the repair - here's the log file after running ComboFix with the custom script. BTW, after launching ComboFix it asked if I wanted to download and use a newer version than the one I have, and I responded with no as I wasn't sure if the custom script was specific to the older version I have used.

OK run the below ComboFix custom script and if ComboFix asks if you want to download a new version, allow such. You have done nothing wrong I will further add.

Folder::
c:\documents and settings\All Users\Application Data\iKjFoPc06300

[scewter]

Making progress here - I think.

OK run the below ComboFix custom script and if ComboFix asks if you want to download a new version, allow such.

I followed your previous directions regarding saving the notepad file as CFScript.txt on the desktop. Then dragging and dropping it onto ComboFix after disabling my anitivirus. Assuming that's what was desired here's the logfile from that process:

ComboFix 11-03-14.01 - PJ 03/14/2011 20:12:33.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1516 [GMT -4:00]
Running from: c:\documents and settings\PJ\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\PJ\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Personal Firewall *Enabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\iKjFoPc06300
c:\documents and settings\All Users\Application Data\iKjFoPc06300\iKjFoPc06300
.
.
((((((((((((((((((((((((( Files Created from 2011-02-15 to 2011-03-15 )))))))))))))))))))))))))))))))
.
.
2011-03-12 18:25 . 2011-03-12 18:25 -------- d-----w- C:\_OTL
2011-02-26 17:11 . 2011-02-26 17:11 -------- d-----w- c:\documents and settings\PJ\Local Settings\Application Data\Xenocode
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 11:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 11:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-04 11:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 11:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-13 08:47 . 2010-09-10 17:11 38848 ----a-w- c:\windows\avastSS.scr
2011-01-13 08:47 . 2010-09-10 17:11 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2010-09-10 17:11 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2010-09-10 17:11 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:40 . 2010-09-10 17:11 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-13 08:39 . 2010-09-10 17:11 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-13 08:37 . 2010-09-10 17:11 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2010-09-10 17:11 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-13 08:37 . 2010-09-10 17:11 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-01-07 14:09 . 2004-08-04 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 11:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:09 . 2010-08-20 19:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2004-08-04 11:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08 . 2004-08-04 11:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 23:08 . 2010-08-20 19:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-04 11:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 11:00 389120 ----a-w- c:\windows\system32\html.iec
2010-02-25 22:56 . 2010-02-25 22:55 98181416 ----a-w- c:\program files\iTunesSetup.exe
2009-11-13 02:15 . 2009-11-13 02:15 4938616 ----a-w- c:\program files\Silverlight.exe
2009-11-05 16:12 . 2009-11-05 16:12 3218761 ----a-w- c:\program files\SetupSureCutsALot_2_005.exe
2008-06-29 18:12 . 2008-06-29 18:12 16535022 ----a-w- c:\program files\CDSInstaller.exe
2003-08-27 19:19 . 2005-03-26 16:56 36963 ------w- c:\program files\Common Files\SM1updtr.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-17 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-02-05 180269]
"BigDogPath"="c:\windows\VM_STI.EXE" [2005-02-28 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-11-29 221295]
NaturalColorLoad.lnk - c:\program files\SEC\Natural Color\NaturalColorLoad.exe [2005-11-25 155715]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
backup=c:\windows\pss\Device Detector 2.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^PJ^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis True Image Monitor]
2005-12-27 15:32 988736 ----a-w- c:\program files\Acronis\TrueImage\TrueImageMonitor.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [9/10/2010 1:11 PM 294608]
R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\SYSTEM32\DRIVERS\eusk2par.sys [12/15/2007 8:02 PM 24786]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 SbFw;SbFw;c:\windows\SYSTEM32\DRIVERS\SbFw.sys [9/10/2010 1:18 PM 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\SYSTEM32\DRIVERS\sbhips.sys [6/21/2008 4:54 AM 66600]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [9/10/2010 1:11 PM 17744]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [10/31/2008 7:24 AM 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [10/31/2008 7:24 AM 1365288]
R3 EUCR;ENE USB Mass Storage;c:\windows\SYSTEM32\DRIVERS\EUCR6SK.sys [2/13/2006 2:23 PM 42240]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\SYSTEM32\DRIVERS\SbFwIm.sys [9/10/2010 1:18 PM 65576]
S2 gupdate1c9b1b792ea9b30;Google Update Service (gupdate1c9b1b792ea9b30);c:\program files\Google\Update\GoogleUpdate.exe [3/31/2009 12:16 AM 133104]
S3 epppdt;EPSON 1394.3 Class;c:\windows\SYSTEM32\DRIVERS\epppdt.sys [6/18/2006 5:41 PM 31269]
S3 epppdtpr;EPSON 1394.3 Printer Class;c:\windows\SYSTEM32\DRIVERS\epppdtpr.sys [6/18/2006 5:41 PM 14457]
S3 eusk3usb;SmartKey 3 USB;c:\windows\SYSTEM32\DRIVERS\eusk3usb.sys [12/15/2007 8:02 PM 45534]
S3 OlyCamComm;OLYMPUS USB Communication Device;c:\windows\SYSTEM32\DRIVERS\OlyCamComm.sys [12/9/2010 9:48 PM 21648]
S3 SPCP825K;Sunplus Serial port driver;c:\windows\system32\DRIVERS\SPCP825K.sys --> c:\windows\system32\DRIVERS\SPCP825K.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-14 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]
.
2011-03-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-17 03:23]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-31 04:15]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-31 04:15]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java
DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} - hxxp://www.docs.co.clay.mn.us/AppXtender/client/IrcViewer.cab
DPF: {89F1C7A1-B54C-406D-8CD6-901D277F6388} - hxxp://www.docs.co.clay.mn.us/AppXtender/client/IrcResultSet.cab
FF - ProfilePath - c:\documents and settings\PJ\Application Data\Mozilla\Firefox\Profiles\rj0t53qj.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 20:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2\Parameters]
@DACL=(02 0000)
@SACL=
"WinSock_Registry_Version"="2.0"
"Current_NameSpace_Catalog"="NameSpace_Catalog5"
"Current_Protocol_Catalog"="Protocol_Catalog9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1244)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-03-14 20:22:35
ComboFix-quarantined-files.txt 2011-03-15 00:22
ComboFix2.txt 2011-03-14 19:59
ComboFix3.txt 2011-03-13 18:07
.
Pre-Run: 5,326,602,240 bytes free
Post-Run: 5,316,952,064 bytes free
.
- - End Of File - - 974532A8C7D35E33D7B2F081E1EBBCBE

[Dakeyras]

Hi.

Making progress here - I think.

Aye.

I followed your previous directions regarding saving the notepad file as CFScript.txt on the desktop. Then dragging and dropping it onto ComboFix after disabling my anitivirus. Assuming that's what was desired

All good. We will now update some applications(new installations also) and run a final check on your machine as follows...

New Adobe Reader Installation:

• Go here and click on AdbeRdr1000_en_US.exe to download the latest version of Adobe Reader.
• Save this file to your desktop and run it to install the latest version of Adobe Reader.
• After the new Reader is installed, Open Adobe Reader X. (Right click and Run as administrator in Visat/Win7)
• OK the license.
• Click on Edit and select Preferences.
• On the Left, click on the Javascript category and Uncheck Enable Acrobat Javascript.
• Click on the Security (Enhanced) category and Uncheck Automatically trust sites from my Win OS security zones.
• Click on the Trust Manager category and Uncheck Allow opening of non-PDF file attachments with external applications.
• Click the OK button

New Java Installation:

• Click here to visit Java's website.
• Scroll down to Java SE 6 Update 24 (JDK or JRE). Click on Download JRE.
• Select Windows from the drop-down list for Platform.
• Check (tick) Java SE Runtime Environment 6u24 with JavaFX License Agreement box and click on Continue.
• Click on jre-6u24-windows-i586.exe link to download it and save this to a convenient location.
• Double-click on jre-6u24-windows-i586.exe to install Java.

Note: During installation de-select the option to install McAfee Security Scan Plus.

Update Mozilla FireFox:

• Launch the browser >> Help >> Check for Updates...
• Click on the Update Firefox tab when prompted to upgrade too v3.6.15.
• Restart Firefox when prompted.

Update to Internet Explorer v8:

IE7 has been superseded by IE8, I strongly advise you download and install the new browser from here. This will increase overall security whist browsing online.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go here then click on:
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

• • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

[scewter]

Dakeyras,

New Adobe Reader Installation, New Java Installation, Update Mozilla FireFox, and Update to Internet Explorer v8

All completed.

ESET Online Scanner

I tried it several times now and it keeps "hanging" on the same file, which is about 15% completed. Per your direction had also disabled antivirus beforehand.

Any suggestions?

Edited by scewter, 15 March 2011 - 03:31 PM.

[Dakeyras]

Hi.

I tried it several times now and it keeps "hanging" on the same file, which is about 15% completed.

OK download and run TFC(see below) and try the Eset online scan again...If in the event it hangs re-run TFC again and try the Panda online scan(see below).

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
• Save any unsaved work. TFC will close all open application windows.
• Double-click TFC.exe to run the program.
• Click the Start button in the bottom left of TFC
• If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.

Panda Online Scan:

Please go here to run Panda's ActiveScan

• Once you are on the Panda site, click the Scan your PC now button
• A new window will open...click the Scan Now button
• Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
• Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
• When the scan has finished, click on Export To
• Save the file as Activescan.txt to your Desktop
• Close the Activescan window then go to your Desktop
• Double-click on Activescan.txt and it will open in Notepad
• In Notepad, click Edit > Select all, then Edit > Copy
• Reply to this thread and click Ctrl+V to paste the log in your reply

[scewter]

Some progress to report, although not complete.

After running TFC, still had the hanging problem with ESET. Switched to Panda. That seemed to scan ok, however it was taking a verrrrry long time. I went to bed after monitoring it for abut 4.5 hrs (showing 16%). Got up about 5 hrs to check it and the desktop was clean, no Panda scanner window(s) and no report. Started it again and it showed the results of the previous scan (10 threats which is what I observed before calling it a nite last nite). Started a Quick scan (vs Full scan) this time, but only got 8 threats (report attached below). Tried another Full scan and caught all 10 threats again, but was unsuccessfaul in saving the report. Have tried another 3 times to capture the 10 threats, all unsuccessful, and all due to Panda not letting me capture the report or not displaying it. All threats appear to be tracking cookies.

Here's the report:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2011-03-16 05:45:34
PROTECTIONS: 1
MALWARE: 8
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! Antivirus 5.0.83952505 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No c:\documents and settings\pj\cookies\pj@trafficmp[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\documents and settings\pj\cookies\pj@tribalfusion[1].txt
00167724 Cookie/HotLog TrackingCookie No 0 Yes No c:\documents and settings\pj\cookies\pj@hotlog[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\pj\cookies\pj@serving-sys[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\pj\cookies\[email protected][1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\pj\cookies\pj@realmedia[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\documents and settings\pj\cookies\pj@questionmarket[1].txt
00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No c:\documents and settings\pj\cookies\pj@smartadserver[1].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

[Dakeyras]

Hi.

Unfortunately any type of online scan can be problematic at times for varying reasons and others they just work fine.

Anyway, any further issues remaining?

[scewter]

Anyway, any further issues remaining?

Not at this time. Seems to be running well.

[Dakeyras]

Hi.

Not at this time. Seems to be running well.

Good...Congratulations your computer appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

Uninstall ComboFix:

• Click on Start >> Run...
• Now type in ComboFix /Uninstall into the and click OK.
• Note the space between the X and the /Uninstall, it needs to be there.
• 

Clean up with OTL:

• Double-click OTL to start the program.
• Close all other programs apart from OTL as this step will require a reboot.
• On the OTL main screen, depress the CleanUp button.
• Say Yes to the prompt and then allow the program to reboot your computer.

The above process should clean up and remove the vast majority of scanners used and logs created etc.

Any left over merely delete yourself and empty the Recycle Bin.

Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan at least once a week.

Other installed security software:

Your presently installed security application, Avast automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also at least once per week.

Erunt:

Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

Keep your system updated:

b]Microsoft [/b]releases patches for Windows and other products regularly:

• I advise you visit: http://update.micros...t.aspx?ln=en-us
• Install the Active X
• Once installed it will advise set Auto-Updates if not set and you then you will be able to manually check for updates also via:
• Start >> All Programs >> Microsoft Updates

Be careful when opening attachments and downloading files:

Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice is avoid these types of software applications.

Hosts File:

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:

• hpHosts
• MVPS Hosts File

Only use one of the above!

Install WinPatrol:

WinPatrol alerts you about possible system hijacks, malware attacks and critical changes made to your computer without your permission.

Download it from here.

You can find information about how WinPatrol works here.

Next:

This is a very helpful/useful set of advice from Microsoft: Microsoft Safety & Security Center

Any questions? Feel free to ask, if not stay safe!

[scewter]

Dakeyras, outstanding help, support, and advice.

Really appreciate your time in this. Will follow your reccomendations.

All my best,
Scewter

[Dakeyras]

You're most welcome and thank you for the compliment also!

[Dakeyras]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.