[Dakeyras]

Hi.

No yellow question marks.

OK we can come back to this when we have completed the Malware Removal process.

Neither one of those files were present in C:\WINDOWS\system32, nor anywhere else in my computer. I even searched the tape backup.

Fair play.

Sorry, double post.

Not a problem.

Custom ComboFix-Script:

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote- box(do not copy the word quote) below:

Driver::
5518B7ED
576CA959

File::
C:\WINDOWS\system32\5518B7ED.exe
C:\WINDOWS\system32\576CA959.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTDCPL]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"= 0
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"= 0
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"= 0

RegLock::
[HKEY_USERS\S-1-5-21-3599948769-1508766627-293611528-1005\Software\SecuROM\License information*]

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

Caution: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue. If that happened we want to know, and also what process you had to end.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go here to run the scan...Click on Scan Now
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

• • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

When completed the above, please post back the following in the order asked for:

• How is your computer performing now, any further symptoms and or problems encountered?
• ComboFix Log.
• ESET Log.

[Advertisements]

How is your computer performing now, any further symptoms and or problems encountered?

No change.

ComboFix Log.

ComboFix 11-08-06.02 - patty 08/06/2011 20:46:21.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1388 [GMT -5:00]
Running from: c:\documents and settings\patty\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\patty\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\windows\system32\5518B7ED.exe"
"c:\windows\system32\576CA959.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_5518B7ED
-------\Legacy_576CA959
-------\Service_5518B7ED
-------\Service_576CA959
.
.
((((((((((((((((((((((((( Files Created from 2011-07-07 to 2011-08-07 )))))))))))))))))))))))))))))))
.
.
2011-08-04 13:51 . 2011-08-04 13:51 -------- d-----w- C:\_OTL
2011-08-04 13:21 . 2011-08-04 13:22 -------- d-----w- c:\program files\ERUNT
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-07 00:52 . 2009-08-06 16:27 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52 . 2009-08-06 16:27 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-29 13:00 . 2010-08-27 18:38 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-29 13:00 . 2010-08-27 18:38 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-21 19:02 . 2011-05-15 19:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2005-08-16 09:18 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-23 16:55 . 2003-03-31 12:00 138752 ----a-w- c:\windows\system32\sndvol32.exe
2011-05-23 16:37 . 2011-05-23 16:04 15448 ----a-w- c:\windows\system32\drivers\pfmodnt.sys
2011-05-23 16:37 . 2011-05-23 16:04 1211480 ----a-w- c:\windows\system32\drivers\ha20x2k.sys
2011-05-23 16:37 . 2011-05-23 16:04 95832 ----a-w- c:\windows\system32\drivers\emupia2k.sys
2011-05-23 16:37 . 2011-05-23 16:04 159320 ----a-w- c:\windows\system32\drivers\ctsfm2k.sys
2011-05-23 16:37 . 2011-05-23 16:04 537048 ----a-w- c:\windows\system32\drivers\ctaud2k.sys
2011-05-23 16:37 . 2011-05-23 16:04 14424 ----a-w- c:\windows\system32\drivers\ctprxy2k.sys
2011-05-23 16:37 . 2011-05-23 16:04 130648 ----a-w- c:\windows\system32\drivers\ctoss2k.sys
2011-05-23 16:37 . 2011-05-23 16:04 511064 ----a-w- c:\windows\system32\drivers\ctac32k.sys
2011-05-23 16:37 . 2009-06-04 07:46 1399384 ----a-w- c:\windows\system32\drivers\CTEXFIFX.sys
2011-05-23 16:37 . 2009-06-04 07:46 73816 ----a-w- c:\windows\system32\drivers\CTHWIUT.sys
2011-05-23 16:37 . 2009-06-04 07:46 198232 ----a-w- c:\windows\system32\drivers\CT20XUT.sys
2011-05-23 16:37 . 2006-04-03 14:26 86528 ----a-w- c:\windows\system32\ctcoinst.dll
2011-05-23 16:37 . 2006-04-03 14:26 347144 ----a-w- c:\windows\system32\drivers\ctdvda2k.sys
2011-05-23 16:37 . 2006-04-03 14:26 186368 ----a-w- c:\windows\system32\ctdvinst.dll
2011-05-23 16:37 . 2009-06-04 05:55 2560 ----a-w- c:\windows\system32\CtxfiRes.dll
2011-05-23 16:37 . 2006-04-03 14:22 11776 -c--a-w- c:\windows\INRES.DLL
2011-05-23 16:37 . 2011-05-23 16:04 68608 ----a-w- c:\windows\system32\piaproxy.dll
2011-05-23 16:37 . 2011-05-23 16:04 10240 ----a-w- c:\windows\system32\sfman32.dll
2011-05-23 16:37 . 2009-11-19 19:20 809560 ----a-w- c:\windows\system32\oalinst.exe
2011-05-23 16:37 . 2006-04-03 14:22 16384 ----a-w- c:\windows\system32\regplib.exe
2011-05-23 16:37 . 2006-04-03 14:22 130560 ----a-w- c:\windows\system32\sfms32.dll
2011-05-23 16:37 . 2011-05-23 16:04 53248 ----a-w- c:\windows\system32\ctdproxy.dll
2011-05-23 16:37 . 2011-05-23 16:04 201216 ----a-w- c:\windows\system32\ctemupia.dll
2011-05-23 16:37 . 2009-12-09 09:13 626030 ----a-w- c:\windows\system32\APOIM32.exe
2011-05-23 16:37 . 2009-07-23 09:12 7680 ----a-w- c:\windows\system32\enlocstr.exe
2011-05-23 16:37 . 2009-06-04 05:50 15872 ----a-w- c:\windows\system32\Ct20xspi.dll
2011-05-23 16:37 . 2007-03-13 15:32 87712 ----a-w- c:\windows\system32\ctpxst32.exe
2011-05-23 16:37 . 2006-12-05 19:52 48400 ----a-w- c:\windows\system32\AddCat.exe
2011-05-23 16:37 . 2006-04-03 14:22 77824 ----a-w- c:\windows\system32\eaxac3.dll
2011-05-23 16:37 . 2006-04-03 14:22 74752 ----a-w- c:\windows\system32\ctosuser.dll
2011-05-23 16:37 . 2006-04-03 14:22 50688 ----a-w- c:\windows\system32\ctasio.dll
2011-05-23 16:37 . 2006-04-03 14:22 47616 ----a-w- c:\windows\system32\CTxfiReg.exe
2011-05-23 16:37 . 2006-04-03 14:22 42496 ----a-w- c:\windows\system32\CTxfiBtn.dll
2011-05-23 16:37 . 2006-04-03 14:22 39424 ----a-w- c:\windows\system32\CTxfiSpk.dll
2011-05-23 16:37 . 2006-04-03 14:22 36864 ----a-w- c:\windows\system32\devreg.dll
2011-05-23 16:37 . 2006-04-03 14:22 25088 ----a-w- c:\windows\system32\Ctxfihlp.exe
2011-05-23 16:37 . 2006-04-03 14:22 194560 ----a-w- c:\windows\system32\ct_oal.dll
2011-05-23 16:37 . 2006-04-03 14:22 14336 ----a-w- c:\windows\system32\a3d.dll
2011-05-23 16:37 . 2006-04-03 14:22 13312 ----a-w- c:\windows\system32\ac3api.dll
2011-05-23 16:37 . 2006-04-03 14:22 1292288 ----a-w- c:\windows\system32\CTxfispi.exe
2011-05-23 16:37 . 2006-04-03 14:22 12800 ----a-w- c:\windows\system32\killapps.exe
2011-06-22 03:21 . 2011-05-10 01:57 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-04_22.51.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-07 02:11 . 2011-08-07 02:11 16384 c:\windows\Temp\Perflib_Perfdata_764.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-12-29 1653248]
"F.lux"="c:\documents and settings\patty\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
"InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2011-05-10 1205760]
"Adobe Reader Synchronizer"="c:\program files\Adobe\Reader 10.0\Reader\AdobeCollabSync.exe" [2011-06-06 1240992]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-15 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 25600]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
Monitor.lnk - c:\program files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-7-21 114688]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\sid meier's civilization v\\CivilizationV.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\sid meier's civilization v\\Launcher.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/27/2010 1:38 PM 136360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 BlackBox;BlackBox SR2; [x]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [9/6/2010 4:29 PM 79360]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [6/4/2009 2:46 AM 198232]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [6/4/2009 2:46 AM 198232]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [6/4/2009 2:46 AM 1399384]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [6/4/2009 2:46 AM 1399384]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [6/4/2009 2:46 AM 73816]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [6/4/2009 2:46 AM 73816]
S3 Diag69xp;Diag69xp;c:\windows\system32\Drivers\Diag69xp.sys --> c:\windows\system32\Drivers\Diag69xp.sys [?]
S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\system32\drivers\G311N6.sys [8/9/2007 11:25 AM 70144]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3599948769-1508766627-293611528-1005Core.job
- c:\documents and settings\patty\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-24 21:07]
.
2011-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3599948769-1508766627-293611528-1005UA.job
- c:\documents and settings\patty\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-24 21:07]
.
2011-08-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3599948769-1508766627-293611528-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-08-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3599948769-1508766627-293611528-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thehungersite.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
FF - ProfilePath - c:\documents and settings\patty\Application Data\Mozilla\Firefox\Profiles\7lhtdebw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.thehungersite.com/clickToGive/home.faces?siteId=1
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: keyword.url - hxxp://www.startsearcher.com/?q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-06 21:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3599948769-1508766627-293611528-1005\Software\SecuROM\License information*]
"datasecu"=hex:40,9f,9e,34,fe,7d,d8,5a,39,cf,c3,f5,80,06,b4,ea,ad,01,d4,2c,b2,
51,94,9d,67,04,a8,8a,91,06,97,59,d9,5e,be,0a,fd,7e,51,b7,ed,bf,9d,34,97,e0,\
"rkeysecu"=hex:e2,26,6d,94,9c,ba,ad,1d,64,79,70,1b,d8,19,de,23
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(272)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\eHome\ehSched.exe
c:\windows\ehome\RMSvc.exe
c:\windows\ehome\McrdSvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-08-06 21:16:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-07 02:16
ComboFix2.txt 2011-08-04 22:53
.
Pre-Run: 86,391,623,680 bytes free
Post-Run: 86,288,121,856 bytes free
.
- - End Of File - - 8921F917399114BEC7D6F7F47DA939F1

ESET Log.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=82947cf6ca689d418b93680e37fa3451
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-08-07 03:50:26
# local_time=2011-08-06 10:50:26 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 0 48273620 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=153130
# found=2
# cleaned=0
# scan_time=5194
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1942\A0327293.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1942\A0327294.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I

[Pat Williams]

How is your computer performing now, any further symptoms and or problems encountered?

No change.

ComboFix Log.

ComboFix 11-08-06.02 - patty 08/06/2011 20:46:21.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1388 [GMT -5:00]
Running from: c:\documents and settings\patty\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\patty\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\windows\system32\5518B7ED.exe"
"c:\windows\system32\576CA959.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_5518B7ED
-------\Legacy_576CA959
-------\Service_5518B7ED
-------\Service_576CA959
.
.
((((((((((((((((((((((((( Files Created from 2011-07-07 to 2011-08-07 )))))))))))))))))))))))))))))))
.
.
2011-08-04 13:51 . 2011-08-04 13:51 -------- d-----w- C:\_OTL
2011-08-04 13:21 . 2011-08-04 13:22 -------- d-----w- c:\program files\ERUNT
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-07 00:52 . 2009-08-06 16:27 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52 . 2009-08-06 16:27 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-29 13:00 . 2010-08-27 18:38 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-29 13:00 . 2010-08-27 18:38 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-21 19:02 . 2011-05-15 19:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2005-08-16 09:18 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-23 16:55 . 2003-03-31 12:00 138752 ----a-w- c:\windows\system32\sndvol32.exe
2011-05-23 16:37 . 2011-05-23 16:04 15448 ----a-w- c:\windows\system32\drivers\pfmodnt.sys
2011-05-23 16:37 . 2011-05-23 16:04 1211480 ----a-w- c:\windows\system32\drivers\ha20x2k.sys
2011-05-23 16:37 . 2011-05-23 16:04 95832 ----a-w- c:\windows\system32\drivers\emupia2k.sys
2011-05-23 16:37 . 2011-05-23 16:04 159320 ----a-w- c:\windows\system32\drivers\ctsfm2k.sys
2011-05-23 16:37 . 2011-05-23 16:04 537048 ----a-w- c:\windows\system32\drivers\ctaud2k.sys
2011-05-23 16:37 . 2011-05-23 16:04 14424 ----a-w- c:\windows\system32\drivers\ctprxy2k.sys
2011-05-23 16:37 . 2011-05-23 16:04 130648 ----a-w- c:\windows\system32\drivers\ctoss2k.sys
2011-05-23 16:37 . 2011-05-23 16:04 511064 ----a-w- c:\windows\system32\drivers\ctac32k.sys
2011-05-23 16:37 . 2009-06-04 07:46 1399384 ----a-w- c:\windows\system32\drivers\CTEXFIFX.sys
2011-05-23 16:37 . 2009-06-04 07:46 73816 ----a-w- c:\windows\system32\drivers\CTHWIUT.sys
2011-05-23 16:37 . 2009-06-04 07:46 198232 ----a-w- c:\windows\system32\drivers\CT20XUT.sys
2011-05-23 16:37 . 2006-04-03 14:26 86528 ----a-w- c:\windows\system32\ctcoinst.dll
2011-05-23 16:37 . 2006-04-03 14:26 347144 ----a-w- c:\windows\system32\drivers\ctdvda2k.sys
2011-05-23 16:37 . 2006-04-03 14:26 186368 ----a-w- c:\windows\system32\ctdvinst.dll
2011-05-23 16:37 . 2009-06-04 05:55 2560 ----a-w- c:\windows\system32\CtxfiRes.dll
2011-05-23 16:37 . 2006-04-03 14:22 11776 -c--a-w- c:\windows\INRES.DLL
2011-05-23 16:37 . 2011-05-23 16:04 68608 ----a-w- c:\windows\system32\piaproxy.dll
2011-05-23 16:37 . 2011-05-23 16:04 10240 ----a-w- c:\windows\system32\sfman32.dll
2011-05-23 16:37 . 2009-11-19 19:20 809560 ----a-w- c:\windows\system32\oalinst.exe
2011-05-23 16:37 . 2006-04-03 14:22 16384 ----a-w- c:\windows\system32\regplib.exe
2011-05-23 16:37 . 2006-04-03 14:22 130560 ----a-w- c:\windows\system32\sfms32.dll
2011-05-23 16:37 . 2011-05-23 16:04 53248 ----a-w- c:\windows\system32\ctdproxy.dll
2011-05-23 16:37 . 2011-05-23 16:04 201216 ----a-w- c:\windows\system32\ctemupia.dll
2011-05-23 16:37 . 2009-12-09 09:13 626030 ----a-w- c:\windows\system32\APOIM32.exe
2011-05-23 16:37 . 2009-07-23 09:12 7680 ----a-w- c:\windows\system32\enlocstr.exe
2011-05-23 16:37 . 2009-06-04 05:50 15872 ----a-w- c:\windows\system32\Ct20xspi.dll
2011-05-23 16:37 . 2007-03-13 15:32 87712 ----a-w- c:\windows\system32\ctpxst32.exe
2011-05-23 16:37 . 2006-12-05 19:52 48400 ----a-w- c:\windows\system32\AddCat.exe
2011-05-23 16:37 . 2006-04-03 14:22 77824 ----a-w- c:\windows\system32\eaxac3.dll
2011-05-23 16:37 . 2006-04-03 14:22 74752 ----a-w- c:\windows\system32\ctosuser.dll
2011-05-23 16:37 . 2006-04-03 14:22 50688 ----a-w- c:\windows\system32\ctasio.dll
2011-05-23 16:37 . 2006-04-03 14:22 47616 ----a-w- c:\windows\system32\CTxfiReg.exe
2011-05-23 16:37 . 2006-04-03 14:22 42496 ----a-w- c:\windows\system32\CTxfiBtn.dll
2011-05-23 16:37 . 2006-04-03 14:22 39424 ----a-w- c:\windows\system32\CTxfiSpk.dll
2011-05-23 16:37 . 2006-04-03 14:22 36864 ----a-w- c:\windows\system32\devreg.dll
2011-05-23 16:37 . 2006-04-03 14:22 25088 ----a-w- c:\windows\system32\Ctxfihlp.exe
2011-05-23 16:37 . 2006-04-03 14:22 194560 ----a-w- c:\windows\system32\ct_oal.dll
2011-05-23 16:37 . 2006-04-03 14:22 14336 ----a-w- c:\windows\system32\a3d.dll
2011-05-23 16:37 . 2006-04-03 14:22 13312 ----a-w- c:\windows\system32\ac3api.dll
2011-05-23 16:37 . 2006-04-03 14:22 1292288 ----a-w- c:\windows\system32\CTxfispi.exe
2011-05-23 16:37 . 2006-04-03 14:22 12800 ----a-w- c:\windows\system32\killapps.exe
2011-06-22 03:21 . 2011-05-10 01:57 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-04_22.51.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-07 02:11 . 2011-08-07 02:11 16384 c:\windows\Temp\Perflib_Perfdata_764.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-12-29 1653248]
"F.lux"="c:\documents and settings\patty\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
"InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2011-05-10 1205760]
"Adobe Reader Synchronizer"="c:\program files\Adobe\Reader 10.0\Reader\AdobeCollabSync.exe" [2011-06-06 1240992]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-15 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 25600]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
Monitor.lnk - c:\program files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-7-21 114688]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\sid meier's civilization v\\CivilizationV.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\sid meier's civilization v\\Launcher.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/27/2010 1:38 PM 136360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 BlackBox;BlackBox SR2; [x]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [9/6/2010 4:29 PM 79360]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [6/4/2009 2:46 AM 198232]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [6/4/2009 2:46 AM 198232]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [6/4/2009 2:46 AM 1399384]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [6/4/2009 2:46 AM 1399384]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [6/4/2009 2:46 AM 73816]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [6/4/2009 2:46 AM 73816]
S3 Diag69xp;Diag69xp;c:\windows\system32\Drivers\Diag69xp.sys --> c:\windows\system32\Drivers\Diag69xp.sys [?]
S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\system32\drivers\G311N6.sys [8/9/2007 11:25 AM 70144]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3599948769-1508766627-293611528-1005Core.job
- c:\documents and settings\patty\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-24 21:07]
.
2011-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3599948769-1508766627-293611528-1005UA.job
- c:\documents and settings\patty\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-24 21:07]
.
2011-08-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3599948769-1508766627-293611528-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-08-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3599948769-1508766627-293611528-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thehungersite.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
FF - ProfilePath - c:\documents and settings\patty\Application Data\Mozilla\Firefox\Profiles\7lhtdebw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.thehungersite.com/clickToGive/home.faces?siteId=1
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: keyword.url - hxxp://www.startsearcher.com/?q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-06 21:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3599948769-1508766627-293611528-1005\Software\SecuROM\License information*]
"datasecu"=hex:40,9f,9e,34,fe,7d,d8,5a,39,cf,c3,f5,80,06,b4,ea,ad,01,d4,2c,b2,
51,94,9d,67,04,a8,8a,91,06,97,59,d9,5e,be,0a,fd,7e,51,b7,ed,bf,9d,34,97,e0,\
"rkeysecu"=hex:e2,26,6d,94,9c,ba,ad,1d,64,79,70,1b,d8,19,de,23
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(272)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\eHome\ehSched.exe
c:\windows\ehome\RMSvc.exe
c:\windows\ehome\McrdSvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-08-06 21:16:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-07 02:16
ComboFix2.txt 2011-08-04 22:53
.
Pre-Run: 86,391,623,680 bytes free
Post-Run: 86,288,121,856 bytes free
.
- - End Of File - - 8921F917399114BEC7D6F7F47DA939F1

ESET Log.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=82947cf6ca689d418b93680e37fa3451
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-08-07 03:50:26
# local_time=2011-08-06 10:50:26 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 0 48273620 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=153130
# found=2
# cleaned=0
# scan_time=5194
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1942\A0327293.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1942\A0327294.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I

[Dakeyras]

Hi.

With regard to the no sound issue, the only other things I can think of is uninstall then reinstall the software and drivers and the other is a wee bit of a long shot...try a different set of speakers if able. If still a problem we can refer you to an another part of the forum to see if one of the GTG IT Tech Staff can be of assistance as primarily both this part of the forum and myself only provide Anti-Malware support.

With regard to what has been flagged by the online scan, not a cause for concern as it merely denotes infected system restore points which will be dealt with when we uninstall ComboFix...part of its uninstalltion routine flushes old system restore points and sets a new clean one etc.

Reset SP3 Firewall:

Click on Start >> Run... and cut/paste in the following and click on OK

firewall.cpl

Click on the Advanced tab >> Restore Defaults >> At the prompt click on Yes >> OK

Now click on the General tab >> select On(recommended) >> OK.

New Java Installation:

• Click here to visit Java's website.
• Scroll down to Java SE 7 (JDK or JRE). Click on Download JRE.
• Check (tick) Java SE Runtime Environment 7 License Agreement box.
• Click on jre-7-windows-i586.exe link next to Windows x86 Offline to download it and save this to a convenient location.
• Double-click on on jre-7-windows-i586.exe to install Java.

Next:

Let myself know when completed the above and if any further issues remaining, thank you.

[Pat Williams]

Everything done, other than no sound things are peachy.

I have changed speakers, tried headphones, nothing, other than static and that "thump" noise when plugging/unplugging speakers.

I'll have to look into whether I still have the software for these speakers ... they were working fine up until a month ago, and they were my daughter's speakers, so I didn't think about saving the discs ...

I do need guidance into uninstalling all this stuff we've installed, if you wouldn't mind.

Edited by Pat Williams, 07 August 2011 - 01:11 PM.

[Dakeyras]

Hi.

Everything done, other than no sound things are peachy.

OK.

I have changed speakers, tried headphones, nothing, other than static and that "thump" noise when plugging/unplugging speakers.

I'll have to look into whether I still have the software for these speakers ... they were working fine up until a month ago, and they were my daughter's speakers, so I didn't think about saving the discs ...

No harm I think seeking a second opinion about this issue then with the IT Tech staff here in GTG as I mentioned prior. Just create a new topic in this part of the forum:-

Hardware, Components and Peripherals

If you so wish mention the fact I advised you seek further assistance and include the URL for this topic:-

http://www.geekstogo.com/forum/topic/305081-desktop-settings-revert-to-defaults-on-reboot-also-no-sound/

I do need guidance into uninstalling all this stuff we've installed, if you wouldn't mind.

By all means...

Next:

Congratulations your computer appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

Next:

Re-enable CD Emulation drivers with DeFogger.

• Double-click DeFogger to run the tool.
• The application window will appear
• Click the Re-enable button to enable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

Note: If you are not prompted to reboot your machine the clean up procedure with OTL below will do this anyway.

Uninstall ComboFix:

• Click on Start >> Run...
• Now type in ComboFix /Uninstall into the and click OK.
• Note the space between the X and the /Uninstall, it needs to be there.
• 

Clean up with OTL:

• Double-click OTL to start the program.
• Close all other programs apart from OTL as this step will require a reboot.
• On the OTL main screen, depress the CleanUp button.
• Say Yes to the prompt and then allow the program to reboot your computer.

The above process should clean up and remove the vast majority of scanners used and logs created etc.

Any left over merely delete yourself and empty the Recycle Bin.

Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.

Other installed security software:

Your presently installed security application, Avira AntiVir automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also once per week.

Erunt:

Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

Keep your system updated:

Microsoft releases patches for Windows and other products regularly:

• I advise you visit: http://update.micros...t.aspx?ln=en-us
• Install the Active X
• Once installed it will advise set Auto-Updates if not set and you then you will be able to manually check for updates also via:
• Start >> All Programs >> Microsoft Updates

Update to Internet Explorer v8:

I strongly advise you download and install the new browser from here. This will increase overall security whist browsing online.

Note: IE9 is not compatible with the XP Operating System.

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice is avoid these types of software applications.

Hosts File:

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:

• MVPS Hosts File
• hpHosts

Only use one of the above!

Install WinPatrol:

WinPatrol alerts you about possible system hijacks, malware attacks and critical changes made to your computer without your permission.

Download it from here.

You can find information about how WinPatrol works here.

Next:

This is a very helpful/useful set of advice from Microsoft: Microsoft Safety & Security Center

Any questions? Feel free to ask, if not stay safe!

[Pat Williams]

Well, I'm glad not to have malware. But my desktop settings are reverting to default again ...

Also, I can't find how to uninstall NTREGOPT, which installed with RKU.

Edited by Pat Williams, 09 August 2011 - 07:20 AM.

[Dakeyras]

Hi.

But my desktop settings are reverting to default again

I suspect the Malware that was on-board your machine may have corrupted/damaged your actual user account/profile. So basically it is not loading up correctly when you initially boot up your machine. Though also feasible the ongoing hard-ware issue is the culprit also.

Reboot your machine then afterwards log-off the account then log back on again and check if still the same problem. If still a problem afterwards my advice would be wait until you have finished your new topic with rshaffer61 then see if still the same and if so you will probably have to create a new user account, transfer your settings etc to it from your original and then delete the damaged one.

This Microsoft article explains how to accomplish the aforementioned:-

How to copy data from a corrupted user profile to a new profile in Windows XP

By all means mention about this problem to rshaffer61 and show him what I advised as he may have a better solution than I.

Also, I can't find how to uninstall NTREGOPT, which installed with RKU.

Actually this is a component of Erunt(the registy backup software) and it would only be removed if you actually choose to uninstall Erunt. Now if there is a desktop icon for NTREGOPT, you can safely delete that.

[Pat Williams]

Thank you very much for all your help!

[Dakeyras]

You're welcome!

[Dakeyras]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

[Pat Williams]

Hi,

I had computer help here: http://www.geekstogo...-also-no-sound/

Now I have a most puzzling problem with my browsers: I can't see certain ads.

I run an online business, and in order to run my site I need to be able to see things like Infolinks, Google ads, and banner ads that are on my site. I have not been able to see them since. Also, on my web host interface there are buttons I suddenly cannot see now. I have talked to the Infolinks people as well as my web host, and they can't duplicate the issue, they only all confirm that it's a browser settings problem.

I mostly use Firefox 6.0, but the same problem is on Google Chrome 12 and IE 8. I use Windows XP Media Center SP3.

I have tried disabling WinPatrol (which I was advised to download) and this does not solve the problem. Also, the issue was there before I upgraded to Firefox 6.0 (which doesn't seem to support the Java plug-ins I have).

Any advice you can give would be appreciated.

Edited by Pat Williams, 21 August 2011 - 11:15 AM.

[Dakeyras]

Re-opened at OP's request.

[Dakeyras]

Hi again.

I merged the topics to make it a tad easier etc...

OK I do not think WinPatrol is the cause here, did you install one of the advised Hosts Files? If so that would account for what you mentioned and it is doing exactly as it is meant too as in blocking various ads' which could be deemed malicious in nature.

Now if you wish to have the Host File reset to default so you are able to view the aforementioned ads' again that is at your own discretion and I will do so for you but please be aware doing so lowers the overall security of your machine when used online.

[Pat Williams]

Hi,

Yes, I did install one of the host files, I think it was from the second link you posted.

I'm sure this is an unusual request, but I do need to see the ads on my own website, and if this will fix the issues I'm having with my web host's control panel I would be most grateful.

[Dakeyras]

Hi.

Yes, I did install one of the host files, I think it was from the second link you posted.

OK.

I'm sure this is an unusual request, but I do need to see the ads on my own website, and if this will fix the issues I'm having with my web host's control panel I would be most grateful.

By all means and not a problem at all. As end of the day the machine in question is your property.

Reset Host File:

• Open Notepad.
• Copy and Paste everything from the Code Box below into Notepad: <-- Start >> Run... type in notepad and select OK

@Echo off
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
del %0

• Go to File >> Save As
• Save File name as "Dakeyras.bat" <-- Make sure to include the quotes.
• Change Save as Type to All Files and save the file to your Desktop.
• It should look like this:

Now double click on the desktop Dakeyras.bat to run the batch file. It will self-delete when completed.

Note: If you still have WinPatrol installed, it will prompt about the change to the Host File at some point, merely acknowledge/allow the change.