Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijacked browsing after rogue.fakehdd removed. [Solved]


  • This topic is locked This topic is locked

#16
b3l

b3l

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
is there such a removal tool for commodo too? My machine detects it also but it was supposed to be deleted ages ago.
  • 0

Advertisements


#17
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
Just had a quick look and can't see an official removal tool for it. There are a couple about but not official ones from Comodo, so I can't guarantee what they're like and would probably not use them if it was me. Try Revo Uninstaller and see if this detects it. If it does, this should remove it for you. If not, I'll remove it manually :)


Use Revo Uninstaller to remove a program
Click here to download Revo Uninstaller
Once downloaded, double click the file and follow the prompts to install it
Run Revo Uninstaller, then click the program you want to remove, then click Uninstall at the top
Click Yes to confirm, then click Next
After it has ran the official uninstaller, click Next to search for leftover information
If it finds any leftover files and folders, click Select All, then Delete
Click Next after it has removed the leftovers, then click Finish
  • 0

#18
b3l

b3l

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.13.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
User :: YAW [administrator]

1/13/2012 7:06:15 PM
mbam-log-2012-01-13 (19-06-15).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 187808
Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
-------------------------------

MiniToolBox by Farbar
Ran by User (administrator) on 13-01-2012 at 19:14:34
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/08/2012 03:20:05 PM) (Source: Application Hang) (User: )
Description: Hanging application OTL.exe, version 3.2.31.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/08/2012 11:54:09 AM) (Source: Application Error) (User: )
Description: Faulting application nirkmd.3xe, version 2.3.5.189, faulting module nirkmd.3xe, version 2.3.5.189, fault address 0x0000b9cc.
Processing media-specific event for [nirkmd.3xe!ws!]

Error: (01/08/2012 11:50:58 AM) (Source: Application Error) (User: )
Description: Faulting application nirkmd.3xe, version 2.3.5.189, faulting module nirkmd.3xe, version 2.3.5.189, fault address 0x0000b9cc.
Processing media-specific event for [nirkmd.3xe!ws!]

Error: (01/08/2012 11:50:00 AM) (Source: Application Error) (User: )
Description: Faulting application nirkmd.3xe, version 2.3.5.189, faulting module nirkmd.3xe, version 2.3.5.189, fault address 0x0000b9cc.
Processing media-specific event for [nirkmd.3xe!ws!]

Error: (01/08/2012 11:49:00 AM) (Source: Application Error) (User: )
Description: Faulting application nirkmd.3xe, version 2.3.5.189, faulting module nirkmd.3xe, version 2.3.5.189, fault address 0x0000b9cc.
Processing media-specific event for [nirkmd.3xe!ws!]

Error: (01/08/2012 11:24:51 AM) (Source: EventSystem) (User: )
Description: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Error: (01/08/2012 10:01:17 AM) (Source: Application Error) (User: )
Description: Faulting application spybotsd.exe, version 1.6.2.46, faulting module spybotsd.exe, version 1.6.2.46, fault address 0x00004d8a.
Processing media-specific event for [spybotsd.exe!ws!]

Error: (01/08/2012 08:38:39 AM) (Source: Application Hang) (User: )
Description: Hanging application rnr_gui.exe, version 3.10.17.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/08/2012 08:38:36 AM) (Source: Application Hang) (User: )
Description: Hanging application rnr_gui.exe, version 3.10.17.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/07/2012 07:36:05 PM) (Source: MsiInstaller) (User: Administrator)Administrator
Description: The installation of C:\Documents and Settings\Administrator\Desktop\HijackThis.msi is not permitted due to an error in software restriction policy processing. The object cannot be trusted.


System errors:
=============
Error: (01/13/2012 04:32:17 PM) (Source: Service Control Manager) (User: )
Description: The tvtnetwk service terminated unexpectedly. It has done this 1 time(s).

Error: (01/13/2012 04:32:17 PM) (Source: Service Control Manager) (User: )
Description: The IBM KCU Service service terminated unexpectedly. It has done this 1 time(s).

Error: (01/13/2012 02:41:35 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (01/13/2012 02:40:35 PM) (Source: DCOM) (User: User)
Description: DCOM got error "%%1084" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error: (01/13/2012 02:36:20 PM) (Source: DCOM) (User: User)
Description: DCOM got error "%%1084" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error: (01/13/2012 02:35:25 PM) (Source: Service Control Manager) (User: )
Description: The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.

Error: (01/13/2012 02:33:53 PM) (Source: DCOM) (User: User)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (01/13/2012 02:33:50 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SASDIFSV
SASKUTIL
Smapint
Tcpip
TDSMAPI
TPHKDRV
TPPWRIF
TSMAPIP
WS2IFSL

Error: (01/13/2012 02:33:50 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Error: (01/13/2012 02:33:50 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31


Microsoft Office Sessions:
=========================
Error: (01/08/2012 03:20:05 PM) (Source: Application Hang)(User: )
Description: OTL.exe3.2.31.0hungapp0.0.0.000000000

Error: (01/08/2012 11:54:09 AM) (Source: Application Error)(User: )
Description: nirkmd.3xe2.3.5.189nirkmd.3xe2.3.5.1890000b9cc

Error: (01/08/2012 11:50:58 AM) (Source: Application Error)(User: )
Description: nirkmd.3xe2.3.5.189nirkmd.3xe2.3.5.1890000b9cc

Error: (01/08/2012 11:50:00 AM) (Source: Application Error)(User: )
Description: nirkmd.3xe2.3.5.189nirkmd.3xe2.3.5.1890000b9cc

Error: (01/08/2012 11:49:00 AM) (Source: Application Error)(User: )
Description: nirkmd.3xe2.3.5.189nirkmd.3xe2.3.5.1890000b9cc

Error: (01/08/2012 11:24:51 AM) (Source: EventSystem)(User: )
Description: d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp44800706BA

Error: (01/08/2012 10:01:17 AM) (Source: Application Error)(User: )
Description: spybotsd.exe1.6.2.46spybotsd.exe1.6.2.4600004d8a

Error: (01/08/2012 08:38:39 AM) (Source: Application Hang)(User: )
Description: rnr_gui.exe3.10.17.0hungapp0.0.0.000000000

Error: (01/08/2012 08:38:36 AM) (Source: Application Hang)(User: )
Description: rnr_gui.exe3.10.17.0hungapp0.0.0.000000000

Error: (01/07/2012 07:36:05 PM) (Source: MsiInstaller)(User: Administrator)Administrator
Description: C:\Documents and Settings\Administrator\Desktop\HijackThis.msi(NULL)(NULL)(NULL)


========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 37%
Total physical RAM: 1014.42 MB
Available physical RAM: 631.59 MB
Total Pagefile: 2440.38 MB
Available Pagefile: 2144.93 MB
Total Virtual: 2047.88 MB
Available Virtual: 1974.9 MB

========================= Partitions: =====================================

1 Drive c: (Preload) (Fixed) (Total:70.14 GB) (Free:13.47 GB) NTFS

========================= Users: ========================================

User accounts for \\YAW

Administrator ASPNET Guest
HelpAssistant SUPPORT_388945a0 User


**** End of log ****
  • 0

#19
b3l

b3l

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
revo uninstaller doesn't list comodo.
  • 0

#20
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
The log shows no new devices needing drivers etc. Could you do another restart of the PC and let me know if the New Hardware Found Wizard appears again please.


Lets now remove the leftovers of Comodo with ComboFix...



Remove Items with ComboFix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

SecCenter::
{043803A5-4F86-4ef7-AFC5-F6E02A79969B}
{043803A3-4F86-4ef6-AFC5-F6E02A79969B}

Folder::
C:\Program Files\COMODO


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



In your next reply
Please post the contents of...
ComboFix log
  • 0

#21
b3l

b3l

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
The Found New Hardware wizard is still coming up on reboot. In Device Manager it is listed as an Unknown Device with the following:

Unknown device Properties\Details:
Device Instance ID: ROOT\LEGACY_SASKUTIL\0000
Current Power State: D3
Power Capabilities: PDCAP_D0_SUPPORTED
PDCAP_D3_SUPPORTED

This may be left over from uninstalling superantispyware. Also, before I rid myself of the original virus, I uninstalled firefox because antivirus scans were getting hung up on firefox folder/files. It seems that firefox also did not uninstall cleanly... although I suppose this doesn't matter much since I will eventually reinstall firefox. In fact, I will reinstall this drive in the spring so as long as I am not currently infected, it isn't necessary to perfectly fix everything.


When I dropped cfscript.txt onto combofix, combofix did its thing and then the same message popped up again "Warning!" antivirus: AVG Anti-Virus Free Edition 2011 Antivirus and intrusion prevention rograms are known to... Please disable these scanners before clicking 'OK'.

I found this to be set to startup on windows boot: cmd.exe /c start http://www.avg.com/w...&"ver=10.0.1416



ComboFix 12-01-13.05 - User 01/14/2012 10:32:29.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.540 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\COMODO
c:\program files\COMODO\COMODO Internet Security\repair\install_init.xml
c:\program files\COMODO\COMODO Internet Security\translations\cavscan.arabic.lang
c:\program files\COMODO\COMODO Internet Security\translations\cavshell.arabic.lang
c:\program files\COMODO\COMODO Internet Security\translations\cfp.arabic.lang
c:\program files\COMODO\COMODO Internet Security\translations\cfpconfg.arabic.lang
c:\program files\COMODO\COMODO Internet Security\translations\cfplogvw.arabic.lang
c:\program files\COMODO\COMODO Internet Security\translations\cfpupdat.arabic.lang
.
.
((((((((((((((((((((((((( Files Created from 2011-12-14 to 2012-01-14 )))))))))))))))))))))))))))))))
.
.
2012-01-14 15:14 . 2012-01-14 15:14 -------- d-----w- c:\documents and settings\User\Application Data\VSRevoGroup
2012-01-14 00:19 . 2012-01-14 00:19 -------- d-----w- c:\program files\Revo Uninstaller
2012-01-08 19:15 . 2012-01-08 19:15 -------- d-----w- c:\program files\SpywareBlaster
2012-01-08 13:52 . 2012-01-08 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-01-08 13:52 . 2012-01-08 15:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-08 04:00 . 2012-01-08 04:00 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2012-01-08 00:36 . 2012-01-08 00:36 -------- d-----w- C:\!KillBox
2012-01-08 00:17 . 2012-01-08 00:17 -------- d-----w- C:\found.000
2012-01-07 22:59 . 2012-01-07 22:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-01-07 22:58 . 2012-01-07 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-07 22:58 . 2012-01-07 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-07 22:58 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-07 22:56 . 2012-01-07 22:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2012-01-07 20:12 . 2012-01-07 20:12 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-01-07 17:40 . 2012-01-07 17:41 -------- d-----w- C:\bd_logs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-08 05:00 . 2011-03-25 04:28 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2011-12-27 16:31 . 2011-11-01 20:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( [email protected]_18.37.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-14 14:42 . 2012-01-14 14:42 16384 c:\windows\temp\Perflib_Perfdata_708.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4serv.exe" [2005-07-12 94208]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 151552]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-23 237568]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 2341632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-09 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-09 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-09 131072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-08-08 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/w...&ver=10.0.1416" [?]
.
c:\documents and settings\User\Start Menu\backup\Programs\Startup\
Stickies.lnk.disabled [2011-7-10 719]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ------w- c:\program files\Lenovo\AwayTask\AwayNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 14:45 28672 ------w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 11:16 24576 ------w- c:\windows\system32\tphklock.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-10-25 19:13 821144 ----a-w- c:\program files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-10-25 19:13 36760 ----a-w- c:\program files\Adobe\Acrobat 10.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Synchronizer]
2010-10-25 19:13 1216416 ----a-w- c:\program files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 16:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-02 04:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch]
2006-08-16 17:07 69632 ------w- c:\program files\Lenovo\AwayTask\AwaySch.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
2006-05-25 16:13 208896 ------w- c:\progra~1\ThinkPad\UTILIT~1\BATLOGEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
2006-05-19 00:24 196696 ------w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2006-02-02 13:20 122940 ------w- c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2007-11-26 18:54 1057064 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-28 00:50 221184 ------w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-28 00:50 81920 ------w- c:\program files\Common Files\Installshield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2006-07-04 16:11 110592 ------w- c:\progra~1\THINKV~1\PrdCtr\LPMGR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 18:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-08-08 13:56 421888 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
2007-11-26 18:54 1629480 ----a-w- c:\program files\Nero\Nero 7\InCD\NBHGui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2006-07-15 02:05 503808 ------w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SUService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"InCDsrv"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yawcam\\Yawcam.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8081:TCP"= 8081:TCP:yaw stream tcp
"8081:UDP"= 8081:UDP:yaw stream udp
"8888:TCP"= 8888:TCP:yaw http tcp
"8888:UDP"= 8888:UDP:yaw http udp
"465:TCP"= 465:TCP:smtp gmail
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 6:55 PM 3968]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [3/24/2011 11:05 PM 13840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-12-05 16:27 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-14 c:\windows\Tasks\User_Feed_Synchronization-{407DC8A4-E999-477E-95DC-A24C0D9B2E49}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mWindow Title = vegetation station
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: DhcpNameServer = 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-14 10:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1697861012-3424590130-1003572462-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1396)
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll
.
Completion time: 2012-01-14 10:39:26
ComboFix-quarantined-files.txt 2012-01-14 15:39
ComboFix2.txt 2012-01-13 21:48
ComboFix3.txt 2012-01-08 18:52
.
Pre-Run: 8,576,397,312 bytes free
Post-Run: 8,600,145,920 bytes free
.
- - End Of File - - 56752236764C96E3116DB685C23CF2CA

Edited by b3l, 14 January 2012 - 09:53 AM.

  • 0

#22
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts

Unknown device Properties\Details:
Device Instance ID: ROOT\LEGACY_SASKUTIL\0000
Current Power State: D3
Power Capabilities: PDCAP_D0_SUPPORTED
PDCAP_D3_SUPPORTED

Yep definitely SuperAntiSpyware. Can you click here and download the SAS Uninstaller. Just run the program and it will ask you to reboot when it's finished. If the New Hardware Found Wizard appears again, you will need to reinstall SuperAntiSpyware from here. This should then stop the wizard from appearing.




When I dropped cfscript.txt onto combofix, combofix did its thing and then the same message popped up again "Warning!" antivirus: AVG Anti-Virus Free Edition 2011 Antivirus and intrusion prevention rograms are known to... Please disable these scanners before clicking 'OK'.

Have you ran the AVG Removal Tool yet? It should have removed these leftovers of AVG.
  • 0

#23
b3l

b3l

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Yes, I tried running it three times and rebooted in between. Still the same. But since I will re-install avg, does it matter?
  • 0

#24
b3l

b3l

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Superantispyware uninstall did the trick! And no more problems with USB eject.

Edited by b3l, 14 January 2012 - 01:05 PM.

  • 0

#25
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
If you reinstall AVG I would think it will all be fine. We shouldn't need to run ComboFix again now anyway. If you can try reinstalling AVG and let me know if you have any problems with it. Could you also check to see if Windows Updates is working, as some recent event logs showed that the Windows Update service was struggling to run.



Superantispyware uninstall did the trick! And no more problems with USB eject.

:thumbsup:
  • 0

Advertisements


#26
b3l

b3l

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Windowsupdates is working fine and AVG installed fine, working fine. With the new AVG I am getting notices of high memory usage for Internet Explorer. It doesn't happen all the time, but at those times, the computer is grinding away and PageFile usage can get high. I only have 1G RAM but I don't believe this was a problem before.
  • 0

#27
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
Good to hear AVG went back on without any errors and that Windows Update is working again. The grinding away issue in Internet Explorer could be caused by AVG itself. In the later versions it does add the AVG Toolbar by default, along with it's Safe Search component and malicious script blocking etc. It may be a combination of them that's causing the occasional slowness. Lets see if we can speed things up in general now. Can you do the following steps and get back to me with the Autoruns log please...


1)
Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




2)
Java updates
  • Click the Start button
  • Click Control Panel
  • Double Click Java
  • Click the Update tab
  • Click Update Now
  • Allow any updates to be downloaded and installed
If the Java icon is not visible in Control Panel, please go to here and click "Free Java Download" to get the latest version.




3)
Autoruns - Startup Items
  • Click here to download Autoruns and Save it to your Desktop
  • Extract the contents of Autoruns.zip by Right clicking it and choose Extract All (or Extract here if using WinRar)
  • Once the contents have been extracted you will see a folder called Autoruns
  • Open the folder and Double click on autoruns to launch the program
  • Let the program finish scanning your PC. You will know it has finished scanning when it says Ready in the bottom left
  • Click File then Save, then in the Save as type box select Text (.txt) then in the File Name box above, call it StartupItems.txt and save it to your Desktop
  • Please attach the StartupItems.txt to your next reply

To attach a file...
  • Click Add Reply as you would do normally
  • Then within the 'Attachments' area, click Browse and select the file that you want to attach
  • Click the Attach This File button
  • Now click Add to Post on the right hand side, to insert the attachment into your post.

  • 0

#28
b3l

b3l

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I ran TFC and java update. Attached is StartupItems.txt. I would like to clean out as many startup and autorun items as possible, including lenovo programs that automatically start but I am unsure what is not necessary. Can you help me do this? Thanks again for all your help and time.

Attached Files


  • 0

#29
BlackOxide

BlackOxide

    Trusted Helper

  • Malware Removal
  • 1,976 posts
Yep sure, no problem, that's what we'll be doing now :)


Autoruns Startup Modify
Open Autoruns
Once it has finished scanning and you see Ready in the bottom left corner, click the Logon tab at the top
Untick the following items:

  • EZEJMNAP
  • IgfxTray
  • Persistence
  • QuickTime Task
  • SoundMAXPnP
  • TPKMAPHELPER
  • AvgUninstallURL
Once you have unticked those items, just close Autoruns using the top right X
Now reboot your PC


I have purposely not disabled all of the Lenovo/IBM startup items, as some are needed in order to properly use or manage your Trackpad and Power controls etc.



Lets now perform a Defrag, but using Auslogics Disk Defrag instead of the built in Windows utility.

Auslogics Disk Defrag
  • Click here to download Auslogics Disk Defrag
  • Once downloaded double click the file and follow the prompts to install (I would advise to UNtick the options to Install the Auslogics Toolbar and the Ask.com homepage as you go through the setup)
  • Once installed, run the program and at the top make sure the C: Drive is ticked
  • Then click the little downwards arrow next to Defrag and choose Defrag and Optimize
  • Once complete, please reboot the PC


Let me know how the Laptop is running after performing these steps. Hopefully it's a bit better than it was previously.
  • 0

#30
b3l

b3l

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Can you tell me what rootkit I had and how you know what it is?

Followed your instructions. Defrag has seemed to help. Still getting the AVG notice about high memory usage and still showing higher pagefile but the machine is smoother and not crackling away the way it was before. I suppose I will know better over time. Are we done?

Edited by b3l, 15 January 2012 - 05:08 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP