hijacked browsing after rogue.fakehdd removed. [Solved]
#16
Posted 13 January 2012 - 05:53 PM
#17
Posted 13 January 2012 - 06:02 PM
Use Revo Uninstaller to remove a program
Click here to download Revo Uninstaller
Once downloaded, double click the file and follow the prompts to install it
Run Revo Uninstaller, then click the program you want to remove, then click Uninstall at the top
Click Yes to confirm, then click Next
After it has ran the official uninstaller, click Next to search for leftover information
If it finds any leftover files and folders, click Select All, then Delete
Click Next after it has removed the leftovers, then click Finish
#18
Posted 13 January 2012 - 06:16 PM
www.malwarebytes.org
Database version: v2012.01.13.05
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
User :: YAW [administrator]
1/13/2012 7:06:15 PM
mbam-log-2012-01-13 (19-06-15).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 187808
Time elapsed: 4 minute(s), 46 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-------------------------------
MiniToolBox by Farbar
Ran by User (administrator) on 13-01-2012 at 19:14:34
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************
========================= Event log errors: ===============================
Application errors:
==================
Error: (01/08/2012 03:20:05 PM) (Source: Application Hang) (User: )
Description: Hanging application OTL.exe, version 3.2.31.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Error: (01/08/2012 11:54:09 AM) (Source: Application Error) (User: )
Description: Faulting application nirkmd.3xe, version 2.3.5.189, faulting module nirkmd.3xe, version 2.3.5.189, fault address 0x0000b9cc.
Processing media-specific event for [nirkmd.3xe!ws!]
Error: (01/08/2012 11:50:58 AM) (Source: Application Error) (User: )
Description: Faulting application nirkmd.3xe, version 2.3.5.189, faulting module nirkmd.3xe, version 2.3.5.189, fault address 0x0000b9cc.
Processing media-specific event for [nirkmd.3xe!ws!]
Error: (01/08/2012 11:50:00 AM) (Source: Application Error) (User: )
Description: Faulting application nirkmd.3xe, version 2.3.5.189, faulting module nirkmd.3xe, version 2.3.5.189, fault address 0x0000b9cc.
Processing media-specific event for [nirkmd.3xe!ws!]
Error: (01/08/2012 11:49:00 AM) (Source: Application Error) (User: )
Description: Faulting application nirkmd.3xe, version 2.3.5.189, faulting module nirkmd.3xe, version 2.3.5.189, fault address 0x0000b9cc.
Processing media-specific event for [nirkmd.3xe!ws!]
Error: (01/08/2012 11:24:51 AM) (Source: EventSystem) (User: )
Description: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Error: (01/08/2012 10:01:17 AM) (Source: Application Error) (User: )
Description: Faulting application spybotsd.exe, version 1.6.2.46, faulting module spybotsd.exe, version 1.6.2.46, fault address 0x00004d8a.
Processing media-specific event for [spybotsd.exe!ws!]
Error: (01/08/2012 08:38:39 AM) (Source: Application Hang) (User: )
Description: Hanging application rnr_gui.exe, version 3.10.17.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Error: (01/08/2012 08:38:36 AM) (Source: Application Hang) (User: )
Description: Hanging application rnr_gui.exe, version 3.10.17.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Error: (01/07/2012 07:36:05 PM) (Source: MsiInstaller) (User: Administrator)Administrator
Description: The installation of C:\Documents and Settings\Administrator\Desktop\HijackThis.msi is not permitted due to an error in software restriction policy processing. The object cannot be trusted.
System errors:
=============
Error: (01/13/2012 04:32:17 PM) (Source: Service Control Manager) (User: )
Description: The tvtnetwk service terminated unexpectedly. It has done this 1 time(s).
Error: (01/13/2012 04:32:17 PM) (Source: Service Control Manager) (User: )
Description: The IBM KCU Service service terminated unexpectedly. It has done this 1 time(s).
Error: (01/13/2012 02:41:35 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
Error: (01/13/2012 02:40:35 PM) (Source: DCOM) (User: User)
Description: DCOM got error "%%1084" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
Error: (01/13/2012 02:36:20 PM) (Source: DCOM) (User: User)
Description: DCOM got error "%%1084" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
Error: (01/13/2012 02:35:25 PM) (Source: Service Control Manager) (User: )
Description: The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
Error: (01/13/2012 02:33:53 PM) (Source: DCOM) (User: User)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
Error: (01/13/2012 02:33:50 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SASDIFSV
SASKUTIL
Smapint
Tcpip
TDSMAPI
TPHKDRV
TPPWRIF
TSMAPIP
WS2IFSL
Error: (01/13/2012 02:33:50 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31
Error: (01/13/2012 02:33:50 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31
Microsoft Office Sessions:
=========================
Error: (01/08/2012 03:20:05 PM) (Source: Application Hang)(User: )
Description: OTL.exe3.2.31.0hungapp0.0.0.000000000
Error: (01/08/2012 11:54:09 AM) (Source: Application Error)(User: )
Description: nirkmd.3xe2.3.5.189nirkmd.3xe2.3.5.1890000b9cc
Error: (01/08/2012 11:50:58 AM) (Source: Application Error)(User: )
Description: nirkmd.3xe2.3.5.189nirkmd.3xe2.3.5.1890000b9cc
Error: (01/08/2012 11:50:00 AM) (Source: Application Error)(User: )
Description: nirkmd.3xe2.3.5.189nirkmd.3xe2.3.5.1890000b9cc
Error: (01/08/2012 11:49:00 AM) (Source: Application Error)(User: )
Description: nirkmd.3xe2.3.5.189nirkmd.3xe2.3.5.1890000b9cc
Error: (01/08/2012 11:24:51 AM) (Source: EventSystem)(User: )
Description: d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp44800706BA
Error: (01/08/2012 10:01:17 AM) (Source: Application Error)(User: )
Description: spybotsd.exe1.6.2.46spybotsd.exe1.6.2.4600004d8a
Error: (01/08/2012 08:38:39 AM) (Source: Application Hang)(User: )
Description: rnr_gui.exe3.10.17.0hungapp0.0.0.000000000
Error: (01/08/2012 08:38:36 AM) (Source: Application Hang)(User: )
Description: rnr_gui.exe3.10.17.0hungapp0.0.0.000000000
Error: (01/07/2012 07:36:05 PM) (Source: MsiInstaller)(User: Administrator)Administrator
Description: C:\Documents and Settings\Administrator\Desktop\HijackThis.msi(NULL)(NULL)(NULL)
========================= Devices: ================================
========================= Memory info: ===================================
Percentage of memory in use: 37%
Total physical RAM: 1014.42 MB
Available physical RAM: 631.59 MB
Total Pagefile: 2440.38 MB
Available Pagefile: 2144.93 MB
Total Virtual: 2047.88 MB
Available Virtual: 1974.9 MB
========================= Partitions: =====================================
1 Drive c: (Preload) (Fixed) (Total:70.14 GB) (Free:13.47 GB) NTFS
========================= Users: ========================================
User accounts for \\YAW
Administrator ASPNET Guest
HelpAssistant SUPPORT_388945a0 User
**** End of log ****
#19
Posted 13 January 2012 - 06:22 PM
#20
Posted 14 January 2012 - 05:12 AM
Lets now remove the leftovers of Comodo with ComboFix...
Remove Items with ComboFix
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
SecCenter::
{043803A5-4F86-4ef7-AFC5-F6E02A79969B}
{043803A3-4F86-4ef6-AFC5-F6E02A79969B}
Folder::
C:\Program Files\COMODO
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
In your next reply
Please post the contents of...
ComboFix log
#21
Posted 14 January 2012 - 09:51 AM
Unknown device Properties\Details:
Device Instance ID: ROOT\LEGACY_SASKUTIL\0000
Current Power State: D3
Power Capabilities: PDCAP_D0_SUPPORTED
PDCAP_D3_SUPPORTED
This may be left over from uninstalling superantispyware. Also, before I rid myself of the original virus, I uninstalled firefox because antivirus scans were getting hung up on firefox folder/files. It seems that firefox also did not uninstall cleanly... although I suppose this doesn't matter much since I will eventually reinstall firefox. In fact, I will reinstall this drive in the spring so as long as I am not currently infected, it isn't necessary to perfectly fix everything.
When I dropped cfscript.txt onto combofix, combofix did its thing and then the same message popped up again "Warning!" antivirus: AVG Anti-Virus Free Edition 2011 Antivirus and intrusion prevention rograms are known to... Please disable these scanners before clicking 'OK'.
I found this to be set to startup on windows boot: cmd.exe /c start http://www.avg.com/w...&"ver=10.0.1416
ComboFix 12-01-13.05 - User 01/14/2012 10:32:29.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.540 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\COMODO
c:\program files\COMODO\COMODO Internet Security\repair\install_init.xml
c:\program files\COMODO\COMODO Internet Security\translations\cavscan.arabic.lang
c:\program files\COMODO\COMODO Internet Security\translations\cavshell.arabic.lang
c:\program files\COMODO\COMODO Internet Security\translations\cfp.arabic.lang
c:\program files\COMODO\COMODO Internet Security\translations\cfpconfg.arabic.lang
c:\program files\COMODO\COMODO Internet Security\translations\cfplogvw.arabic.lang
c:\program files\COMODO\COMODO Internet Security\translations\cfpupdat.arabic.lang
.
.
((((((((((((((((((((((((( Files Created from 2011-12-14 to 2012-01-14 )))))))))))))))))))))))))))))))
.
.
2012-01-14 15:14 . 2012-01-14 15:14 -------- d-----w- c:\documents and settings\User\Application Data\VSRevoGroup
2012-01-14 00:19 . 2012-01-14 00:19 -------- d-----w- c:\program files\Revo Uninstaller
2012-01-08 19:15 . 2012-01-08 19:15 -------- d-----w- c:\program files\SpywareBlaster
2012-01-08 13:52 . 2012-01-08 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-01-08 13:52 . 2012-01-08 15:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-08 04:00 . 2012-01-08 04:00 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2012-01-08 00:36 . 2012-01-08 00:36 -------- d-----w- C:\!KillBox
2012-01-08 00:17 . 2012-01-08 00:17 -------- d-----w- C:\found.000
2012-01-07 22:59 . 2012-01-07 22:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-01-07 22:58 . 2012-01-07 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-07 22:58 . 2012-01-07 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-07 22:58 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-07 22:56 . 2012-01-07 22:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2012-01-07 20:12 . 2012-01-07 20:12 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-01-07 17:40 . 2012-01-07 17:41 -------- d-----w- C:\bd_logs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-08 05:00 . 2011-03-25 04:28 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2011-12-27 16:31 . 2011-11-01 20:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-08_18.37.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-14 14:42 . 2012-01-14 14:42 16384 c:\windows\temp\Perflib_Perfdata_708.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4serv.exe" [2005-07-12 94208]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 151552]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-23 237568]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 2341632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-09 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-09 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-09 131072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-08-08 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/w...&ver=10.0.1416" [?]
.
c:\documents and settings\User\Start Menu\backup\Programs\Startup\
Stickies.lnk.disabled [2011-7-10 719]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ------w- c:\program files\Lenovo\AwayTask\AwayNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 14:45 28672 ------w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 11:16 24576 ------w- c:\windows\system32\tphklock.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-10-25 19:13 821144 ----a-w- c:\program files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-10-25 19:13 36760 ----a-w- c:\program files\Adobe\Acrobat 10.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Synchronizer]
2010-10-25 19:13 1216416 ----a-w- c:\program files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 16:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-02 04:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch]
2006-08-16 17:07 69632 ------w- c:\program files\Lenovo\AwayTask\AwaySch.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
2006-05-25 16:13 208896 ------w- c:\progra~1\ThinkPad\UTILIT~1\BATLOGEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
2006-05-19 00:24 196696 ------w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2006-02-02 13:20 122940 ------w- c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2007-11-26 18:54 1057064 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-28 00:50 221184 ------w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-28 00:50 81920 ------w- c:\program files\Common Files\Installshield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2006-07-04 16:11 110592 ------w- c:\progra~1\THINKV~1\PrdCtr\LPMGR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 18:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-08-08 13:56 421888 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
2007-11-26 18:54 1629480 ----a-w- c:\program files\Nero\Nero 7\InCD\NBHGui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2006-07-15 02:05 503808 ------w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SUService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"InCDsrv"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yawcam\\Yawcam.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8081:TCP"= 8081:TCP:yaw stream tcp
"8081:UDP"= 8081:UDP:yaw stream udp
"8888:TCP"= 8888:TCP:yaw http tcp
"8888:UDP"= 8888:UDP:yaw http udp
"465:TCP"= 465:TCP:smtp gmail
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 6:55 PM 3968]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [3/24/2011 11:05 PM 13840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-12-05 16:27 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-14 c:\windows\Tasks\User_Feed_Synchronization-{407DC8A4-E999-477E-95DC-A24C0D9B2E49}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mWindow Title = vegetation station
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: DhcpNameServer = 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-14 10:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1697861012-3424590130-1003572462-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1396)
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll
.
Completion time: 2012-01-14 10:39:26
ComboFix-quarantined-files.txt 2012-01-14 15:39
ComboFix2.txt 2012-01-13 21:48
ComboFix3.txt 2012-01-08 18:52
.
Pre-Run: 8,576,397,312 bytes free
Post-Run: 8,600,145,920 bytes free
.
- - End Of File - - 56752236764C96E3116DB685C23CF2CA
Edited by b3l, 14 January 2012 - 09:53 AM.
#22
Posted 14 January 2012 - 12:41 PM
Yep definitely SuperAntiSpyware. Can you click here and download the SAS Uninstaller. Just run the program and it will ask you to reboot when it's finished. If the New Hardware Found Wizard appears again, you will need to reinstall SuperAntiSpyware from here. This should then stop the wizard from appearing.Unknown device Properties\Details:
Device Instance ID: ROOT\LEGACY_SASKUTIL\0000
Current Power State: D3
Power Capabilities: PDCAP_D0_SUPPORTED
PDCAP_D3_SUPPORTED
Have you ran the AVG Removal Tool yet? It should have removed these leftovers of AVG.When I dropped cfscript.txt onto combofix, combofix did its thing and then the same message popped up again "Warning!" antivirus: AVG Anti-Virus Free Edition 2011 Antivirus and intrusion prevention rograms are known to... Please disable these scanners before clicking 'OK'.
#23
Posted 14 January 2012 - 12:59 PM
#24
Posted 14 January 2012 - 01:04 PM
Edited by b3l, 14 January 2012 - 01:05 PM.
#25
Posted 14 January 2012 - 01:08 PM
Superantispyware uninstall did the trick! And no more problems with USB eject.
#26
Posted 15 January 2012 - 12:03 PM
#27
Posted 15 January 2012 - 12:36 PM
1)
Download TFC to your desktop
- Open the file and close any other windows.
- It will close all programs itself when run, make sure to let it run uninterrupted.
- Click the Start button to begin the process. The program should not take long to finish its job
- Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
2)
Java updates
- Click the Start button
- Click Control Panel
- Double Click Java
- Click the Update tab
- Click Update Now
- Allow any updates to be downloaded and installed
3)
Autoruns - Startup Items
- Click here to download Autoruns and Save it to your Desktop
- Extract the contents of Autoruns.zip by Right clicking it and choose Extract All (or Extract here if using WinRar)
- Once the contents have been extracted you will see a folder called Autoruns
- Open the folder and Double click on autoruns to launch the program
- Let the program finish scanning your PC. You will know it has finished scanning when it says Ready in the bottom left
- Click File then Save, then in the Save as type box select Text (.txt) then in the File Name box above, call it StartupItems.txt and save it to your Desktop
- Please attach the StartupItems.txt to your next reply
To attach a file...
- Click Add Reply as you would do normally
- Then within the 'Attachments' area, click Browse and select the file that you want to attach
- Click the Attach This File button
- Now click Add to Post on the right hand side, to insert the attachment into your post.
#28
Posted 15 January 2012 - 01:10 PM
Attached Files
#29
Posted 15 January 2012 - 01:33 PM
Autoruns Startup Modify
Open Autoruns
Once it has finished scanning and you see Ready in the bottom left corner, click the Logon tab at the top
Untick the following items:
- EZEJMNAP
- IgfxTray
- Persistence
- QuickTime Task
- SoundMAXPnP
- TPKMAPHELPER
- AvgUninstallURL
Now reboot your PC
I have purposely not disabled all of the Lenovo/IBM startup items, as some are needed in order to properly use or manage your Trackpad and Power controls etc.
Lets now perform a Defrag, but using Auslogics Disk Defrag instead of the built in Windows utility.
Auslogics Disk Defrag
- Click here to download Auslogics Disk Defrag
- Once downloaded double click the file and follow the prompts to install (I would advise to UNtick the options to Install the Auslogics Toolbar and the Ask.com homepage as you go through the setup)
- Once installed, run the program and at the top make sure the C: Drive is ticked
- Then click the little downwards arrow next to Defrag and choose Defrag and Optimize
- Once complete, please reboot the PC
Let me know how the Laptop is running after performing these steps. Hopefully it's a bit better than it was previously.
#30
Posted 15 January 2012 - 05:01 PM
Followed your instructions. Defrag has seemed to help. Still getting the AVG notice about high memory usage and still showing higher pagefile but the machine is smoother and not crackling away the way it was before. I suppose I will know better over time. Are we done?
Edited by b3l, 15 January 2012 - 05:08 PM.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users