[RKinner]

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

DirLook::
C:\Program Files\Common
%user%\library

Driver::
gupdate1c98bfb1cf4c428;
gupdatem



******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.

I'm not sure. Combofix removed some stuff but I'm not positive that was it.

Has Avast started updating on its own yet?

Ron

[Advertisements]

I'll do this when I get home tonight. Last night it did freeze on me after I watched a 45min clip on youtube in HD. It may have just been the browser (firefox) that was having an issue.

I'll post the results. Thanks again!

[Henry77]

I'll do this when I get home tonight. Last night it did freeze on me after I watched a 45min clip on youtube in HD. It may have just been the browser (firefox) that was having an issue.

I'll post the results. Thanks again!

[Henry77]

Yes, Avast appears to be updating like normal.

============================================================




ComboFix 11-09-24.04 - Hank 09/25/2011 9:29.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.627 [GMT -7:00]
Running from: c:\documents and settings\Hank\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Hank\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_gupdatem
.
.
((((((((((((((((((((((((( Files Created from 2011-08-25 to 2011-09-25 )))))))))))))))))))))))))))))))
.
.
2011-09-21 04:35 . 2001-08-17 21:56 1733120 ----a-w- c:\windows\system32\dllcache\g400d.dll
2011-09-21 04:35 . 2001-08-17 19:49 320384 ----a-w- c:\windows\system32\dllcache\g200m.sys
2011-09-21 04:35 . 2001-08-17 21:56 470144 ----a-w- c:\windows\system32\dllcache\g200d.dll
2011-09-21 04:35 . 2001-08-17 19:15 454912 ----a-w- c:\windows\system32\dllcache\fxusbase.sys
2011-09-21 04:33 . 2001-08-17 20:28 595647 ----a-w- c:\windows\system32\dllcache\es56cvmp.sys
2011-09-21 04:32 . 2001-08-17 19:12 28062 ----a-w- c:\windows\system32\dllcache\dp83820.sys
2011-09-21 04:31 . 2001-08-18 05:36 27136 ----a-w- c:\windows\system32\dllcache\cyzcoins.dll
2011-09-21 04:30 . 2004-08-10 10:00 6656 ----a-w- c:\windows\system32\dllcache\c_is2022.dll
2011-09-21 04:29 . 2001-08-17 20:47 6272 ----a-w- c:\windows\system32\dllcache\apmbatt.sys
2011-09-21 04:28 . 2004-08-10 10:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2011-09-21 04:28 . 2001-08-17 21:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-09-21 04:28 . 2004-08-10 10:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2011-09-21 04:28 . 2004-08-10 10:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2011-09-21 04:28 . 2004-08-10 10:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2011-09-21 04:28 . 2004-08-10 10:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2011-09-21 04:28 . 2004-08-10 10:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2011-09-21 04:28 . 2004-08-10 10:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2011-09-20 19:24 . 2011-09-20 19:24 -------- d-----w- C:\_OTL
2011-09-18 21:46 . 2011-09-18 21:46 -------- d-----w- c:\program files\Speccy
2011-08-30 03:24 . 2011-07-07 02:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-30 03:24 . 2011-07-07 02:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-30 03:03 . 2011-08-30 03:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-22 23:19 . 2011-07-22 23:19 1409 ----a-w- c:\windows\QTFont.for
2011-06-26 21:54 . 2011-06-15 03:37 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----
.
.
---- Directory of c:\program files\Common ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-17 397312]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-04-03 26112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-4-9 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-2 24576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=sysaudio.sys
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1626:TCP"= 1626:TCP:Game
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/4/2010 8:32 PM 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/4/2010 8:32 PM 17744]
S2 gupdate1c98bfb1cf4c428;Google Update Service (gupdate1c98bfb1cf4c428);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
TCP: DhcpNameServer = 68.87.69.150 68.87.85.102
FF - ProfilePath - c:\documents and settings\Hank\Application Data\Mozilla\Firefox\Profiles\x4wz7dvz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-25 09:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2280)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\ehome\McrdSvc.exe
c:\program files\Windows Media Connect 2\wmccds.exe
c:\windows\system32\dllhost.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\eHome\ehmsas.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2011-09-25 09:42:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-25 16:42
.
Pre-Run: 892,608,512 bytes free
Post-Run: 921,714,688 bytes free
.
- - End Of File - - 0DAE3900089F3D1AE13E97E840408CDE

[RKinner]

That's about all I see in your logs. I think it's time to cleanup unless you have other problems:

We need to clean up System Restore. Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You probably do not have the latest Java (Java™ 6 Update 27 or 7 update 0). Get the latest at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Note on Java and Firefox. For some reason Java does not remove old consoles from Firefox. Any time you update Java you should do Firefox, Add-ons, Extensions and disable any old Java Consoles

They will look like: Java Console 6.xx. The xx corresponds to the update number. When they switch to 7 update 0 then it will be Java Console 7.

Multiple Java Consoles will slow down the Firefox boot. After any change to Firefox or its extension you should run Speedyfox. (Mentioned later.)



Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron