[dowsp]

Hi Sal,

I attempted to delete my various AV and firewall programs using App Remover..

It claimed that it found and deleted Malware bytes Avira, and Spybot..
with one application...one after the other automatically..

Then It had another option to remove 3 other programs ( that it says were heuristic detected) one at a time...which were..

Mic Sec essentials, AOL spyware ( which I didnt know I had) and PC tools firewall.

I did get uninstall application for some of them including MSE... and it seemed to
complete this ok..BUT since I get a popup warning me that MSE is only disabled.
So I am not sure whats happened.

I can also see an icon below for windows security Alerts... ( I am not sure if this is from MSE)

It has not detected any of the other programs that I had tried that you suggested...
BUT I cannot recall what each one was or if they are AV programs or just other programs
that were used for other applications..

such as GMER, OTL, Scan TXT, DR Web, Virus removal tool 1,2,3, File assasin,
System look, Security check, dial a fix.. these are on my desktop..

some may be just exe or installation progs...

anyway heres the CFSscript txt file..

I am not sure what to do next, such as which AV and firewall program to decide upon.
I have risked to go online to post this..before installing AV and FW..

Hope this proves OK..


====================


ComboFix 11-05-19.02 - P.. 21/05/2011 22:00:38.18.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.257 [GMT 1:00]
Running from: c:\documents and settings\P\Desktop\com fx\ComboFix.exe
Command switches used :: c:\documents and settings\P\Desktop\com fx\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
FILE ::
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{17F76C25-D4F3-4311-B5C2-C3FD955F2827}\MpKsl719566b2.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{17F76C25-D4F3-4311-B5C2-C3FD955F2827}\MpKslca9d1260.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{37A94116-E54E-48EE-AF69-3FA12D7B99FE}\MpKsl133e6817.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{39E87774-D88B-4EDB-AE91-3502C260A67C}\MpKsl1d3eb406.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{55F15D2F-2A3E-49E2-A090-DB432F463AF9}\MpKsl3edab360.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{64CE6AD6-7051-45CB-8B98-BAB6B83DB7F8}\MpKsl4d263215.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{64CE6AD6-7051-45CB-8B98-BAB6B83DB7F8}\MpKsl936ab378.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{64CE6AD6-7051-45CB-8B98-BAB6B83DB7F8}\MpKsled6ce4bc.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{68688FCE-235D-4D24-A3FD-DA9F55292FF5}\MpKsl1ce23b4d.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6EC67B8D-5576-4DAF-8027-07828881A1D8}\MpKsla25de6bd.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{77E3D941-0F89-458F-97E8-DBC6AA07C9E4}\MpKsld9c76a6f.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{92F6CB1D-C53D-4313-B3C6-3E9E3C9D9BC0}\MpKslcb88d00f.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9833DD60-BD99-4223-B0D3-BC58D9B4E144}\MpKsl94b56ef0.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD679E9C-5155-45A0-9940-5DF7AF7D6C19}\MpKsl10334ae5.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD679E9C-5155-45A0-9940-5DF7AF7D6C19}\MpKslbf8a3bb3.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BBFC592A-305B-4BAA-951A-62E71701294D}\MpKsl02a591b9.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D74071FF-8FAB-476C-A005-AC472AE9731D}\MpKsl86c86e31.sys"
"c:\windows\SYSTEM32\DRIVERS\30229470.sys"
"c:\windows\system32\MpEngineStore\MpKsl4aa4b9ad.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys --> c:\windows\SYSTEM32\DRIVERS\tcpip.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_IS-0GOKVDRV
-------\Legacy_MPKSL02A591B9
-------\Legacy_MPKSL10334AE5
-------\Legacy_MPKSL133E6817
-------\Legacy_MPKSL1CE23B4D
-------\Legacy_MPKSL1D3EB406
-------\Legacy_MPKSL3EDAB360
-------\Legacy_MPKSL4AA4B9AD
-------\Legacy_MPKSL4D263215
-------\Legacy_MPKSL719566B2
-------\Legacy_MPKSL86C86E31
-------\Legacy_MPKSL936AB378
-------\Legacy_MPKSL94B56EF0
-------\Legacy_MPKSLA25DE6BD
-------\Legacy_MPKSLBF8A3BB3
-------\Legacy_MPKSLCA9D1260
-------\Legacy_MPKSLCB88D00F
-------\Legacy_MPKSLD9C76A6F
-------\Legacy_MPKSLED6CE4BC
-------\Service_is-0GOKVdrv
-------\Service_MpKsl02a591b9
-------\Service_MpKsl10334ae5
-------\Service_MpKsl133e6817
-------\Service_MpKsl1ce23b4d
-------\Service_MpKsl1d3eb406
-------\Service_MpKsl3edab360
-------\Service_MpKsl4aa4b9ad
-------\Service_MpKsl4d263215
-------\Service_MpKsl719566b2
-------\Service_MpKsl86c86e31
-------\Service_MpKsl936ab378
-------\Service_MpKsl94b56ef0
-------\Service_MpKsla25de6bd
-------\Service_MpKslbf8a3bb3
-------\Service_MpKslca9d1260
-------\Service_MpKslcb88d00f
-------\Service_MpKsld9c76a6f
-------\Service_MpKsled6ce4bc
.
.
((((((((((((((((((((((((( Files Created from 2011-04-21 to 2011-05-21 )))))))))))))))))))))))))))))))
.
.
2011-05-10 13:34 . 2011-05-10 13:34 1409 ----a-w- c:\windows\QTFont.for
2011-05-02 03:37 . 2011-05-02 03:37 -------- d-----w- c:\documents and settings\P\Application Data\FLV.com FLV PLayer
2011-05-02 03:37 . 2011-05-02 03:37 -------- d-----w- c:\program files\FLV.com FLV PLayer
2011-05-02 03:32 . 2011-03-14 15:15 307200 ----a-w- c:\windows\system32\TubeFinder.exe
2011-05-02 03:32 . 2009-06-19 17:51 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2011-05-02 03:32 . 2009-06-19 17:51 84512 ----a-w- c:\windows\system32\PICCLP32.OCX
2011-05-02 03:32 . 2009-06-19 17:51 364544 ----a-w- c:\windows\system32\PropertyGrid.ocx
2011-05-02 03:32 . 2009-06-19 17:51 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2011-05-02 03:32 . 2009-06-19 17:51 9728 ----a-w- c:\windows\system32\PCCLPFR.DLL
2011-05-02 03:32 . 2009-06-19 17:51 24576 ----a-w- c:\windows\system32\ControlSubX.ocx
2011-05-02 03:32 . 2009-06-19 17:51 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2011-05-02 03:32 . 2009-06-19 17:51 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2011-05-02 03:32 . 2011-05-02 03:32 -------- d-----w- c:\program files\FLV.com FLV Downloader
2011-05-02 03:32 . 2011-05-02 03:32 -------- d-----w- c:\documents and settings\P\Application Data\FreeFLVConverter
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-08 02:24 . 2011-04-08 02:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-08 02:24 . 2010-07-08 23:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-02 06:55 . 2011-04-02 06:56 388608 ----a-w- c:\windows\system32\CF32099.exe
2009-03-25 04:56 . 2009-03-25 04:55 1075840 ----a-w- c:\program files\Google Updater.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-16 98304]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 06:55 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
backup=c:\windows\pss\DSLMON.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 7.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SnagIt 7.lnk
backup=c:\windows\pss\SnagIt 7.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^P^Start Menu^Programs^Startup^is-0GOKV.lnk]
path=c:\documents and settings\P\Start Menu\Programs\Startup\is-0GOKV.lnk
backup=c:\windows\pss\is-0GOKV.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^P^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\P\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^P^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\P\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-09-13 11:33 155648 -c--a-w- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
2004-11-10 19:36 290816 ----a-w- c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2004-10-07 19:44 610304 ----a-w- c:\program files\Dell\QuickSet\quickset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2004-07-19 07:51 306688 ----a-w- c:\program files\Dell Support\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 01:05 127035 -c--a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 16:54 57344 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2006-03-11 13:34 190464 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMeeting]
2010-06-02 19:54 39816 ----a-w- c:\program files\Citrix\GoToMeeting\457\g2mstart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-09-20 08:32 77824 ----a-w- c:\windows\SYSTEM32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 08:32 77824 ----a-w- c:\windows\SYSTEM32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 08:36 114688 ----a-w- c:\windows\SYSTEM32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-09-20 08:35 94208 ----a-w- c:\windows\SYSTEM32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
2006-06-17 13:29 319488 ----a-w- c:\program files\Napster\napster.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
2003-05-28 17:32 86016 -c--a-w- c:\program files\Intel\NCS\PROSet\PRONoMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-03-16 01:11 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-09-12 04:36 208941 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-09 09:02 26100520 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
2004-01-26 11:38 866816 ----a-w- c:\program files\Thomson\SpeedTouch USB\dragdiag.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 13:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-25 04:56 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tesco internet phone]
2007-01-30 10:14 6942720 ----a-w- c:\program files\Tesco internet phone\TescoIP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-09-12 04:36 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 01:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"KService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"StumbleUponUpdateService"=3 (0x3)
"S24EventMonitor"=2 (0x2)
"RetroLauncher"=2 (0x2)
"RegSrvc"=2 (0x2)
"PCToolsFirewallPlus"=2 (0x2)
"NetSvc"=3 (0x3)
"MsMpSvc"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate1c9ad062ddca2f0"=2 (0x2)
"dlbt_device"=3 (0x3)
"AOL ACS"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Tesco internet phone\\TescoIP.exe"=
"c:\\Documents and Settings\\P\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
S4 gupdate1c9ad062ddca2f0;Google Update Service (gupdate1c9ad062ddca2f0);c:\program files\Google\Update\GoogleUpdate.exe [25/03/2009 05:57 133104]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [25/03/2009 05:57 133104]
S4 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [18/12/2008 23:05 120168]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-21 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
2011-05-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2005-02-26 04:56]
.
2011-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-25 04:57]
.
2011-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-25 04:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://finance.groups.yahoo.com/group/d/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.co.uk/myway
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
FF - ProfilePath - c:\documents and settings\P\Application Data\Mozilla\Firefox\Profiles\ejftmv6o.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-00PCTFW - c:\program files\PC Tools Firewall Plus\FirewallGUI.exe
MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
MSConfigStartUp-MSC - c:\program files\Microsoft Security Client\msseces.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-21 22:19
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\LgNotify.dll
.
- - - - - - - > 'explorer.exe'(3372)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\fxssvc.exe
c:\program files\Google\Update\1.3.21.53\GoogleCrashHandler.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-05-21 22:26:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-21 21:26
ComboFix2.txt 2011-05-21 03:24
ComboFix3.txt 2011-04-02 22:46
.
Pre-Run: 1,431,080,960 bytes free
Post-Run: 1,478,115,328 bytes free
.
- - End Of File - - BD0DFEAC00D15144D9CE0AFEA7053711

[Advertisements]

I am not sure what to do next, such as which AV and firewall program to decide upon.
I have risked to go online to post this..before installing AV and FW..

I use MSE for my smaller machines.

Did you find any noticeable difference in performance?

[Salagubang]

I am not sure what to do next, such as which AV and firewall program to decide upon.
I have risked to go online to post this..before installing AV and FW..

I use MSE for my smaller machines.

Did you find any noticeable difference in performance?

[dowsp]

Hi Sal,

I reloaded PC tools firewall and Avira quickly for now before I came back to note
your reply....

Initially The machine seems to be opening webpages quite well at the moment,
BUT as I am writing, I still have the feeling that something is not right..

I can see the curser still flickering and for some reason as I write in the reply box on
this page...it seems as if the RIGHT hand side of the page has no border...

The boarder only appears when I click the mouse..

in fact JUST as I said that I just tried it and the page also seems to move up and the border disappears again....

I dont think that this is normal operation..

I will see how it goes on for a while.

I opened several webpages to see what happens when I close them.. as one of my problems
has been pages not closing when I click on the white X in the red box at the top of the page... and the minimise
box to its left greys out..

I dont know if its still some sort of keylogger.. as I also sometime seem to have
the curser flicker when I reply to certain email addresses... which makes me wonder if some
thing is monitoring certain email addresses that I reply to...which I find rather concerning.

This does not happen if I email a new email address... ITS JUST certain ones that I email often too.

Cheers Dowps

[Salagubang]

I need you to have a file analyzed for me:

Go to My Computer-> Tools-> Folder Options-> View tab:

• Under the Hidden files and folders heading:
• Select - Show hidden files and folders.
• Uncheck- Hide protected operating system files (recommended) option.
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
• Click OK. (Remember to Hide files and folders once done)

Please go to one of the below sites to scan the following files:
virscan.org
Virus Total

Click on Browse, and upload the following file, for analysis:

c:\windows\system32\CF32099.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

[dowsp]

Hi Sal,

One good thing is I found that Avira Now will scan ok.. I suspect this may have been due to conflict
with other AV progs..

I am having problems when I open too many programs as pages dont want to close and I get
the grey minimise button above when Im trying to click on red box above RHS...

Anyway...

I followed your instruction for checking file .... c:\windows\system32\CF32099.exe
and it doesnt seem to do quite as you describe when I browse to find the file when I use Virscan.. This was also the case when I did a similar check yesterday..

What seems to happen is I browse and find the relevant file in C drive, windows, system 32..

and then it seems I have to click an upload option..The system then analyses the file.

I then get a message that says as below.....

The file are CF32099.exe uploaded by other users and scanned successfully at 2009/10/20 14:13:58, and 37 softwares update the database from last scan to now.

and its referring to 2009..I then have options to rescan or scan result...

when I scan result, it doesnt seem to find any malware..

there is a copy to clipboard button , but it doesnt work when I click on it..
there is also a message below that says......
Note: This file has been scanned before. Therefore, this file's scan result will not be stored in the database.

I tried again and this time I clicked rescan.. and I get the same results, NO malware found.....

below is a copy and paste of what I see on the page... but it wont display the options above the scan results correctly when I pasted it...ie... results were below these headings..

Scanner Engine Ver Sig Ver Sig Date Scan result Time

File Name : CF32099.exe
File Size : 388608 byte
File Type : PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5 : 46f09758992f28966196d48f2b81d17d
SHA1 : d131d480b249754cba2b5512ec3e1fca5ed6935f


Scanner results : Scanners did not find malware!
Time : 2011/05/21 00:28:44 (BST)

Scanner Engine Ver Sig Ver Sig Date Scan result Time
a-squared 5.1.0.2 20110521060441 2011-05-21 - 0.080
AhnLab V3 2011.05.21.00 2011.05.21 2011-05-21 - 0.080
AntiVir 8.2.4.242 7.11.8.85 2011-05-20 - 0.278
Antiy 2.0.18 20110205.7694535 2011-02-05 - 0.121
Arcavir 2011 201105080215 2011-05-08 - 0.045
Authentium 5.1.1 201105202003 2011-05-20 - 1.942
AVAST! 4.7.4 110520-1 2011-05-20 - 0.028
AVG 8.5.850 271.1.1/3649 2011-05-20 - 0.252
BitDefender 7.90123.7369763 7.37527 2011-05-21 - 5.979
ClamAV 0.96.5 13097 2011-05-20 - 0.166
Comodo 4.0 8774 2011-05-20 - 0.097
CP Secure 1.3.0.5 2011.05.21 2011-05-21 - 0.085
Dr.Web 5.0.2.3300 2011.05.21 2011-05-21 - 12.341
F-Prot 4.4.4.56 20110520 2011-05-20 - 2.005
F-Secure 7.02.73807 2011.05.20.05 2011-05-20 - 0.194
Fortinet 4.2.257 13.247 2011-05-20 - 0.084
GData 22.399/22.112 20110521 2011-05-21 - 0.079
Ikarus T3.1.32.20.0 2011.05.20.78435 2011-05-20 - 4.760
JiangMin 13.0.900 2011.05.20 2011-05-20 - 0.084
Kaspersky 5.5.10 2011.05.20 2011-05-20 - 0.100
KingSoft 2009.2.5.15 2011.5.20.18 2011-05-20 - 0.083
McAfee 5400.1158 6340 2011-05-08 - 9.493
Microsoft 1.6903 2011.05.20 2011-05-20 - 0.082
NOD32 3.0.21 6138 2011-05-20 - 0.216
Norman 6.07.08 6.07.00 2011-05-20 - 10.014
nProtect 20110519.01 3454403 2011-05-19 - 0.081
Panda 9.05.01 2011.05.19 2011-05-19 - 0.078
Quick Heal 11.00 2011.05.20 2011-05-20 - 0.080
Rising 20.0 23.58.04.03 2011-05-20 - 0.080
Sophos 3.19.1 4.65 2011-05-21 - 3.577
Sunbelt 3.9.2493.2 9339 2011-05-20 - 0.080
Symantec 1.3.0.24 20110519.002 2011-05-19 - 0.003
The Hacker 6.7.0.1 v00176 2011-04-18 - 0.078
Trend Micro 9.200-1012 8.170.01 2011-05-20 - 0.042
VBA32 3.12.16.0 20110520.1647 2011-05-20 - 4.709
ViRobot 20110520 2011.05.20 2011-05-20 - 0.080
VirusBuster 5.2.0.28 13.6.365.0/5213718 2011-05-20

[Salagubang]

I tried again and this time I clicked rescan.. and I get the same results, NO malware found.....

Google has different opinion plus I can't find any legit files related to it.

Lets nuke it anyways.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\CF32099.exe

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[dowsp]

I just tried the Virus total website and this did offer a reanalyse option as you did describe.

this is the results... It says it didnt detect anything..

BUT what was unusual is that MY AVIRA detected TWO virus / malware when I opened the
Virus total page and ran the check..

One was called virus reanalylis and the other virus total that were shown in local settings temp int files
it says it was malware suspicious code..

I am doubtful these are for real.. if they are I am uncertain why or what it has found.

================

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: CF32099.exe
Submission date: 2011-05-20 23:39:34 (UTC)
Current status: queued queued analysing finished


Result: 0/ 40 (0.0%)
VT Community

not reviewed
Safety score: -

Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.05.21.00 2011.05.20 -
AntiVir 7.11.8.85 2011.05.20 -
Antiy-AVL 2.0.3.7 2011.05.21 -
Avast 4.8.1351.0 2011.05.20 -
Avast5 5.0.677.0 2011.05.20 -
AVG 10.0.0.1190 2011.05.20 -
BitDefender 7.2 2011.05.20 -
CAT-QuickHeal 11.00 2011.05.20 -
ClamAV 0.97.0.0 2011.05.21 -
Commtouch 5.3.2.6 2011.05.20 -
Comodo 8774 2011.05.20 -
DrWeb 5.0.2.03300 2011.05.21 -
eSafe 7.0.17.0 2011.05.19 -
eTrust-Vet 36.1.8339 2011.05.20 -
F-Prot 4.6.2.117 2011.05.20 -
F-Secure 9.0.16440.0 2011.05.20 -
Fortinet 4.2.257.0 2011.05.21 -
GData 22 2011.05.21 -
Ikarus T3.1.1.104.0 2011.05.20 -
Jiangmin 13.0.900 2011.05.20 -
K7AntiVirus 9.103.4693 2011.05.20 -
Kaspersky 9.0.0.837 2011.05.21 -
McAfee 5.400.0.1158 2011.05.21 -
McAfee-GW-Edition 2010.1D 2011.05.20 -
Microsoft 1.6903 2011.05.20 -
NOD32 6139 2011.05.20 -
nProtect 2011-05-20.01 2011.05.20 -
Panda 10.0.3.5 2011.05.20 -
PCTools 7.0.3.5 2011.05.19 -
Prevx 3.0 2011.05.21 -
Rising 23.58.04.03 2011.05.20 -
Sophos 4.65.0 2011.05.21 -
SUPERAntiSpyware 4.40.0.1006 2011.05.20 -
Symantec 20111.1.0.186 2011.05.20 -
TheHacker 6.7.0.1.202 2011.05.20 -
TrendMicro 9.200.0.1012 2011.05.21 -
TrendMicro-HouseCall 9.200.0.1012 2011.05.21 -
VBA32 3.12.16.0 2011.05.20 -
VIPRE 9339 2011.05.20 -
ViRobot 2011.5.20.4470 2011.05.20 -
Additional informationShow all
MD5 : 46f09758992f28966196d48f2b81d17d
SHA1 : d131d480b249754cba2b5512ec3e1fca5ed6935f
SHA256: 20535200904f770922c6da05d34a9ec607e9760f5cbc66eacce75c337668a3e9
ssdeep: 3072:Z2vjZN+jaiG17Ef5KlrKnBZ59oZSmveDlcjIV8jlwIEU+V4EFFCcll3H3rH3XD7c:wLZNa
i17Y56rKnBfWhveajzxwIEU
File size : 388608 bytes
First seen: 2009-02-12 06:20:22
Last seen : 2011-05-20 23:39:34
TrID:
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows Command Processor
original name: Cmd.Exe
internal name: cmd
file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x5056
timedatestamp....: 0x41107EBE (Wed Aug 04 06:14:22 2004)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x1F5E0, 0x1F600, 6.59, 86385f3ab48a55528ee07a09cd9b0870
.data, 0x21000, 0x1CA24, 0x1CA00, 0.17, f475a5d8db410678faa8b459e2a5fdb4
.rsrc, 0x3E000, 0x228B0, 0x22A00, 3.83, ea101d0d4217fa6331a57501c70f34c3

[[ 3 import(s) ]]
msvcrt.dll: __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __initenv, _cexit, _XcptFilter, _exit, _c_exit, calloc, _wcslwr, qsort, _vsnwprintf, wcsstr, _dup2, _dup, _open_osfhandle, _close, swscanf, _ultoa, _pipe, _seh_longjmp_unwind, _setmode, wcsncmp, iswxdigit, fflush, exit, _wtol, time, srand, __set_app_type, wcsrchr, malloc, free, wcstoul, _errno, iswalpha, printf, rand, swprintf, _iob, fprintf, towlower, realloc, setlocale, _snwprintf, wcscat, _wcsupr, wcsncpy, _wpopen, fgets, _pclose, memmove, wcschr, iswspace, _tell, longjmp, wcscmp, _wcsnicmp, _wcsicmp, wcstol, iswdigit, _getch, _get_osfhandle, _controlfp, _setjmp3, _except_handler3, wcscpy, wcslen, wcsspn, towupper
KERNEL32.dll: FlushConsoleInputBuffer, LoadLibraryA, InterlockedExchange, FreeLibrary, LocalAlloc, GetVDMCurrentDirectories, CmdBatNotification, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetThreadLocale, GetDiskFreeSpaceExW, CompareFileTime, RemoveDirectoryW, GetCurrentDirectoryW, SetCurrentDirectoryW, TerminateProcess, WaitForSingleObject, GetExitCodeProcess, CopyFileW, SetFileAttributesW, DeleteFileW, SetFileTime, CreateDirectoryW, FillConsoleOutputAttribute, SetConsoleTextAttribute, ScrollConsoleScreenBufferW, FormatMessageW, DuplicateHandle, FlushFileBuffers, HeapReAlloc, HeapSize, GetFileAttributesExW, LocalFree, GetDriveTypeW, InitializeCriticalSection, SetConsoleCtrlHandler, GetWindowsDirectoryW, GetConsoleTitleW, GetModuleFileNameW, GetVersion, EnterCriticalSection, LeaveCriticalSection, ExpandEnvironmentStringsW, SearchPathW, WriteFile, GetVolumeInformationW, SetLastError, MoveFileW, SetConsoleTitleW, MoveFileExW, GetBinaryTypeW, GetFileAttributesW, GetCurrentThreadId, CreateProcessW, LoadLibraryW, ReadProcessMemory, SetErrorMode, GetConsoleMode, SetConsoleMode, VirtualAlloc, VirtualFree, SetEnvironmentVariableW, GetEnvironmentVariableW, GetCommandLineW, GetEnvironmentStringsW, GetLocalTime, GetTimeFormatW, FileTimeToLocalFileTime, GetDateFormatW, GetLastError, CloseHandle, SetThreadLocale, GetProcAddress, GetModuleHandleW, SetFilePointer, lstrcmpW, lstrcmpiW, HeapAlloc, GetProcessHeap, HeapFree, MultiByteToWideChar, ReadFile, WriteConsoleW, FillConsoleOutputCharacterW, SetConsoleCursorPosition, ReadConsoleW, GetConsoleScreenBufferInfo, GetStdHandle, GetFileType, VirtualQuery, RaiseException, GetCPInfo, GetConsoleOutputCP, WideCharToMultiByte, GetFileSize, CreateFileW, FindClose, FindNextFileW, FindFirstFileW, GetFullPathNameW, GetUserDefaultLCID, GetLocaleInfoW, SetLocalTime, SystemTimeToFileTime, GetSystemTime, FileTimeToSystemTime
USER32.dll: GetUserObjectInformationW, GetThreadDesktop, MessageBeep, GetProcessWindowStation



VT Community

[dowsp]

Before I run the combofix, I wonder if you have any comments first about virus total
scan and the avira malware find..


--------------------------

Google has different opinion plus I can't find any legit files related to it.

Lets nuke it anyways.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

[Salagubang]

Before I run the combofix, I wonder if you have any comments first about virus total
scan and the avira malware find..

I am not sure about the detection as VT is a legit site. However, since Avira is now up and running, let it deal in whatever it finds during its scan - to have all the nasties in check.

[dowsp]

Hi Sal,

Yes that did seem a bit strange if Avira has found malware on that site.. It found another
called report soon after..

I have tried to follow the last combofix instruction...

BUT for some reason I am getting a message saying end programm with a large file name
and it says windows cannot end this program..it may need more time to complete an operation

I tried to upload another Combofix into another folder and place the txt file into it.

BUT I am still getting the same message..

Maybe I need to restart the computer.. otherwise I am not sure what to do..

[Salagubang]

I concur.

A restart would be good idea.

[dowsp]

OK I will do shortly,

Avira has started to download or install new files... best let it complete first.

I have found that I also still had another firewall that was active..called ThreatFire.

I had removed an uploaded PC tools... I was thinking that they were the same.

Would you have any preference to them... before I had the end now messages when trying combofix
Threatfire detected a threat...since then the end msgs have shown up..

I will restart... but I am wondering if I should remove one of the firewalls even though now
Ive disabled them...

[Salagubang]

PCTools is the company that bought Threatfire so you're correct in your assumption that they are the same.

[dowsp]

OK,

I restarted and disabled firewalls and AV..

I retried to place txt file into combofix... and unfortunately I
got the same end program message... in which at the top of the message it refers to this
file..

c:\32788R22FWJFW\Licence\iexpl...

I am wondering if I could try this in safemode or do I need to be online ?

[Salagubang]

Skip combofix and do this instead.

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Services
  
  :Reg
  
  :Files
  c:\windows\system32\CF32099.exe
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.