Infected? Running slow.

Comments

• chiaz

  October 2008 edited October 2008

  Hello.
  
  
  Please download Malwarebytes' Anti-Malware by clicking the link below:
  http://www.besttechie.net/tools/mbam-setup.exe
  
  Double Click mbam-setup.exe to install the application.
  
  * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  * If an update is found, it will download and install the latest version.
  * Once the program has loaded, select "Perform Quick Scan", then click Scan.
  * The scan may take some time to finish,so please be patient.
  * When the scan is complete, click OK, then Show Results to view the results.
  * Make sure that everything is checked, and click Remove Selected.
  * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  * You'll be required to post the contents of this log later.
  
  Please Note:
  If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
  
  
  ==============================================
  
  
  Ok. Let's have you download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:
  
  Go here ======> A guide and tutorial on using ComboFix <====== Go here
  
  Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2
  
  The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  
  Once installed, you should get a prompt that says:
  
  The Recovery Console was successfully installed.
  
  Please continue as follows:
  
  (1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  (2) Click Yes to allow ComboFix to continue scanning for malware.
  
  When the tool is finished, it will produce a report for you.
  
  Please include the following reports for further review (copy and paste them, not attach), so that we may continue cleansing the system:
  
  MBAM log
  C:\ComboFix.txt
  New HijackThis log
  
  Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

  0
• brewsa

  October 2008 edited October 2008

  I forgot to add to that list Malwarebytes' Anti-Malware.
  
  Anyway i un-installed it and re-installed it from your link and ran it. Then realised it wasn't a good idea. Anyway i think the old log is still there, so i've posted both below in chronological order and your combofix thing.
  
  Sorry, i'm not making this easy am i, but i do appreciate the help.
  
  
  Malwarebytes' Anti-Malware 1.28
  Database version: 1233
  Windows 5.1.2600 Service Pack 2
  
  06/10/2008 15:13:19
  mbam-log-2008-10-06 (15-13-19).txt
  
  Scan type: Full Scan (A:\|C:\|D:\|F:\|)
  Objects scanned: 101637
  Time elapsed: 1 hour(s), 2 minute(s), 9 second(s)
  
  Memory Processes Infected: 0
  Memory Modules Infected: 0
  Registry Keys Infected: 5
  Registry Values Infected: 1
  Registry Data Items Infected: 0
  Folders Infected: 0
  Files Infected: 6
  
  Memory Processes Infected:
  (No malicious items detected)
  
  Memory Modules Infected:
  (No malicious items detected)
  
  Registry Keys Infected:
  HKEY_CLASSES_ROOT\CLSID\{5B5138A4-F5C9-EA13-C2E0-02C993932DFF} (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
  HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
  HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
  HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
  
  Registry Values Infected:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\infomonui (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
  
  Registry Data Items Infected:
  (No malicious items detected)
  
  Folders Infected:
  (No malicious items detected)
  
  Files Infected:
  C:\Program Files\ioazzzc\InfoMonUi.dll (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
  C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.security (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  C:\WINDOWS\system32\drivers\etc\.security (Rogue.Multiple) -> Quarantined and deleted successfully.
  C:\.security (Rogue.Multiple) -> Quarantined and deleted successfully.
  C:\WINDOWS\.security (Rogue.Multiple) -> Quarantined and deleted successfully.
  C:\Documents and Settings\Jackie\Start Menu\Programs\Startup\.security (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  
  
  
  
  
  Malwarebytes' Anti-Malware 1.28
  Database version: 1239
  Windows 5.1.2600 Service Pack 2
  
  07/10/2008 11:10:47
  mbam-log-2008-10-07 (11-10-47).txt
  
  Scan type: Quick Scan
  Objects scanned: 42787
  Time elapsed: 4 minute(s), 32 second(s)
  
  Memory Processes Infected: 0
  Memory Modules Infected: 0
  Registry Keys Infected: 0
  Registry Values Infected: 0
  Registry Data Items Infected: 0
  Folders Infected: 0
  Files Infected: 0
  
  Memory Processes Infected:
  (No malicious items detected)
  
  Memory Modules Infected:
  (No malicious items detected)
  
  Registry Keys Infected:
  (No malicious items detected)
  
  Registry Values Infected:
  (No malicious items detected)
  
  Registry Data Items Infected:
  (No malicious items detected)
  
  Folders Infected:
  (No malicious items detected)
  
  Files Infected:
  (No malicious items detected)
  
  
  
  
  
  
  ComboFix 08-10-06.05 - Jackie 2008-10-07 11:57:22.2 - NTFSx86
  Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.498 [GMT 1:00]
  Running from: C:\Documents and Settings\Jackie\Desktop\ComboFix.exe
  Command switches used :: C:\Documents and Settings\Jackie\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
  * Created a new restore point
  .
  
  ((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
  .
  
  2008-10-07 10:53 . 2008-10-07 10:54 <DIR> d

  ---

  C:\Program Files\Malwarebytes' Anti-Malware
  2008-10-07 10:53 . 2008-09-10 00:04 38,528 --a

  ---

  C:\WINDOWS\system32\drivers\mbamswissarmy.sys
  2008-10-07 10:53 . 2008-09-10 00:03 17,200 --a

  ---

  C:\WINDOWS\system32\drivers\mbam.sys
  2008-10-06 20:42 . 2008-10-06 20:42 <DIR> d

  ---

  C:\Program Files\Trend Micro
  2008-10-06 16:22 . 2008-10-06 16:22 <DIR> d

  ---

  C:\Program Files\Auslogics
  2008-10-06 16:22 . 2008-10-06 16:22 <DIR> d

  ---

  C:\Documents and Settings\Jackie\Application Data\Auslogics
  2008-10-06 16:13 . 2008-10-06 16:13 <DIR> d

  ---

  C:\Program Files\Yahoo!
  2008-10-06 16:13 . 2008-10-06 16:13 <DIR> d

  ---

  C:\Program Files\CCleaner
  2008-10-06 15:58 . 2008-10-06 16:00 <DIR> d

  ---

  C:\Program Files\SpywareBlaster
  2008-10-06 14:08 . 2008-10-06 14:08 <DIR> d

  ---

  C:\Documents and Settings\Jackie\Application Data\Malwarebytes
  2008-10-06 14:08 . 2008-10-06 14:08 <DIR> d

  ---

  C:\Documents and Settings\All Users\Application Data\Malwarebytes
  2008-10-06 09:45 . 2008-10-06 20:06 <DIR> d-a

  ---

  C:\Documents and Settings\All Users\Application Data\TEMP
  2008-10-05 20:44 . 2008-10-05 20:44 <DIR> d

  ---

  C:\Program Files\SUPERAntiSpyware
  2008-10-05 20:44 . 2008-10-05 20:44 <DIR> d

  ---

  C:\Documents and Settings\Jackie\Application Data\SUPERAntiSpyware.com
  2008-10-05 20:44 . 2008-10-05 20:44 <DIR> d

  ---

  C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
  2008-10-05 20:43 . 2008-10-05 20:43 <DIR> d

  ---

  C:\Program Files\Common Files\Wise Installation Wizard
  2008-10-05 20:16 . 2008-10-05 20:16 91 --a

  ---

  C:\WINDOWS\wininit.ini
  2008-10-05 19:44 . 2008-10-05 19:48 <DIR> d

  ---

  C:\Program Files\Spybot - Search & Destroy
  2008-10-05 19:44 . 2008-10-07 11:50 <DIR> d

  ---

  C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
  2008-10-05 18:11 . 2008-10-05 18:11 <DIR> d

  ---

  C:\Program Files\Alwil Software
  2008-10-05 16:15 . 2008-10-05 18:00 <DIR> d--h

  ---

  C:\$AVG8.VAULT$
  2008-10-05 16:11 . 2008-10-07 09:32 <DIR> d

  ---

  C:\WINDOWS\system32\drivers\Avg
  2008-10-05 16:11 . 2008-10-05 16:11 <DIR> d

  ---

  C:\Program Files\AVG
  2008-10-05 16:11 . 2008-10-05 17:13 <DIR> d

  ---

  C:\Documents and Settings\Jackie\Application Data\AVGTOOLBAR
  2008-10-05 16:11 . 2008-10-05 16:11 <DIR> d

  ---

  C:\Documents and Settings\All Users\Application Data\avg8
  2008-10-05 16:11 . 2008-10-05 16:11 97,928 --a

  ---

  C:\WINDOWS\system32\drivers\avgldx86.sys
  2008-10-05 16:11 . 2008-10-05 16:11 76,040 --a

  ---

  C:\WINDOWS\system32\drivers\avgtdix.sys
  2008-10-05 16:11 . 2008-10-05 16:11 10,520 --a

  ---

  C:\WINDOWS\system32\avgrsstx.dll
  2008-10-05 15:25 . 2008-10-05 17:13 <DIR> d

  ---

  C:\Documents and Settings\All Users\Application Data\SITEguard
  2008-10-05 15:24 . 2008-10-05 15:24 <DIR> d

  ---

  C:\Program Files\Common Files\iS3
  2008-10-05 15:24 . 2008-10-06 11:43 <DIR> d

  ---

  C:\Documents and Settings\All Users\Application Data\STOPzilla!
  2008-10-04 20:10 . 2008-10-05 18:45 <DIR> d

  ---

  C:\Program Files\ioazzzc
  2008-10-04 20:10 . 2008-10-05 17:02 <DIR> d

  ---

  C:\Documents and Settings\All Users\Application Data\rupchwvs
  2008-09-13 18:32 . 2008-09-13 18:32 <DIR> d

  ---

  C:\WINDOWS\system32\LogFiles
  2008-09-10 13:56 . 2008-09-10 13:56 <DIR> d

  ---

  C:\WINDOWS\Sun
  2008-09-10 13:54 . 2008-09-10 13:54 <DIR> d

  ---

  C:\Program Files\Three Rings Design
  2008-09-10 13:54 . 2008-09-10 13:54 <DIR> d

  ---

  C:\Program Files\Java
  2008-09-10 12:22 . 2008-09-13 19:02 49 --a

  ---

  C:\WINDOWS\NeroDigital.ini
  
  .
  (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
  .
  2008-09-12 17:22

  ---

  d

  ---

  w C:\Documents and Settings\Jackie\Application Data\HP
  2008-08-29 09:30

  ---

  d

  ---

  w C:\Documents and Settings\Jackie\Application Data\HPAppData
  2008-08-28 20:55

  ---

  d

  ---

  w C:\Documents and Settings\All Users\Application Data\QuickTime
  2008-08-28 14:50

  ---

  d

  ---

  w C:\Program Files\MSXML 4.0
  2008-08-27 12:33

  ---

  d

  ---

  w C:\Documents and Settings\LocalService\Application Data\HP
  2008-08-27 12:32

  ---

  d

  ---

  w C:\WINDOWS\system32\config\systemprofile\Application Data\HPAppData
  2008-08-27 12:32

  ---

  d

  ---

  w C:\Program Files\HP
  2008-08-27 12:32

  ---

  d

  ---

  w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
  2008-08-27 12:31

  ---

  d

  ---

  w C:\Program Files\Hewlett-Packard
  2008-08-27 12:31

  ---

  d

  ---

  w C:\Program Files\Common Files\HP
  2008-08-27 12:31

  ---

  d

  ---

  w C:\Program Files\Common Files\Hewlett-Packard
  2008-08-27 12:31

  ---

  d

  ---

  w C:\Documents and Settings\All Users\Application Data\HP
  2008-08-27 12:29

  ---

  d

  ---

  w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
  2008-08-26 10:32

  ---

  d

  ---

  w C:\Documents and Settings\Jackie\Application Data\Ahead
  2008-08-20 18:28

  ---

  d

  ---

  w C:\Program Files\Snapshot Viewer
  2008-08-20 18:28

  ---

  d

  ---

  w C:\Documents and Settings\All Users\Application Data\SBT
  2008-08-20 18:27

  ---

  d

  ---

  w C:\Program Files\microsoft frontpage
  2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
  2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
  2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
  2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
  2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
  2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
  2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
  2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
  2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
  .
  
  ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
  .
  .
  *Note* empty entries & legit default entries are not shown
  REGEDIT4
  
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 15360]
  "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
  "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
  "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-31 7634944]
  "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-31 86016]
  "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
  "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
  "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
  "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-02-10 26112]
  "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-10 98304]
  "HostManager"="C:\Program Files\Common Files\AOL\1204226382\ee\AOLSoftware.exe" [2006-11-14 50736]
  "EPSON Stylus C46 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE" [2004-01-13 99840]
  "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
  "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-05 1234712]
  "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
  "nwiz"="nwiz.exe" [2006-10-31 C:\WINDOWS\system32\nwiz.exe]
  "RTHDCPL"="RTHDCPL.EXE" [2006-08-01 C:\WINDOWS\RTHDCPL.exe]
  "SkyTel"="SkyTel.EXE" [2006-05-16 C:\WINDOWS\SkyTel.exe]
  
  [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
  "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 15360]
  
  C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
  Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
  HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
  Intelligent Wireless Utility.lnk - C:\Program Files\Intelligent\Common\RaUI.exe [2008-01-25 626688]
  Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 65588]
  
  [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
  "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
  
  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
  2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
  
  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
  "AppInit_DLLs"=avgrsstx.dll
  
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
  "%windir%\\system32\\sessmgr.exe"=
  "C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
  "C:\\Program Files\\AOL\\RC\\regClient.exe"=
  "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
  "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
  "C:\\Program Files\\AOL 9.0 VR\\waol.exe"=
  "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
  "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
  "C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
  "C:\\Program Files\\AOL 9.0 VR\\aol.exe"=
  "C:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
  "C:\\Program Files\\Common Files\\AOL\\1204226382\\ee\\aolsoftware.exe"=
  "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
  "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
  "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
  
  R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
  R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-05 97928]
  R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
  R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-05 875288]
  R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-05 231704]
  R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-05 76040]
  
  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
  HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
  hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
  .
  - - - - ORPHANS REMOVED - - - -
  
  Toolbar-SITEguard - (no file)
  HKLM-Explorer_Run-Ni3iQWwXuA - C:\Documents and Settings\All Users\Application Data\rupchwvs\lwnopute.exe
  
  
  .

  ---

  Supplementary Scan

  ---

  .
  FireFox -: Profile - C:\Documents and Settings\Jackie\Application Data\Mozilla\Firefox\Profiles\j956gg5d.default\
  FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
  FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
  FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
  .
  
  **************************************************************************
  
  catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
  Rootkit scan 2008-10-07 11:58:36
  Windows 5.1.2600 Service Pack 2 NTFS
  
  scanning hidden processes ...
  
  scanning hidden autostart entries ...
  
  scanning hidden files ...
  
  scan completed successfully
  hidden files: 0
  
  **************************************************************************
  .
  Completion time: 2008-10-07 11:59:51
  ComboFix-quarantined-files.txt 2008-10-07 10:59:47
  
  Pre-Run: 147,744,378,880 bytes free
  Post-Run: 147,742,175,232 bytes free
  
  WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
  [boot loader]
  timeout=2
  default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
  [operating systems]
  C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
  multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
  
  174 --- E O F --- 2008-10-06 10:53:02

  0
• chiaz

  October 2008 edited October 2008

  Let's see a new HijackThis log as well.

  0
• brewsa

  October 2008 edited October 2008

  Yeah sorry about that
  
  Logfile of Trend Micro HijackThis v2.0.2
  Scan saved at 13:29:49, on 07/10/2008
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v7.00 (7.00.6000.16705)
  Boot mode: Normal
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
  C:\Program Files\Alwil Software\Avast4\ashServ.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
  C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
  C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\RUNDLL32.EXE
  C:\WINDOWS\RTHDCPL.EXE
  C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
  C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
  C:\WINDOWS\system32\nvsvc32.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\CyberLink\Shared Files\RichVideo.exe
  C:\WINDOWS\system32\svchost.exe
  C:\Program Files\Real\RealPlayer\RealPlay.exe
  C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
  C:\Program Files\QuickTime\qttask.exe
  C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
  C:\Program Files\Common Files\AOL\1204226382\ee\AOLSoftware.exe
  C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
  C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  C:\PROGRA~1\AVG\AVG8\avgtray.exe
  C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
  C:\WINDOWS\system32\ctfmon.exe
  C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
  C:\PROGRA~1\AVG\AVG8\avgrsx.exe
  C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  C:\Program Files\Intelligent\Common\RaUI.exe
  C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
  C:\PROGRA~1\AVG\AVG8\avgemc.exe
  C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
  C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
  C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
  C:\WINDOWS\system32\wuauclt.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
  C:\Program Files\Mozilla Firefox\firefox.exe
  C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
  
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
  R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
  R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
  O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
  O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
  O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
  O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
  O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
  O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
  O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
  O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
  O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
  O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
  O3 - Toolbar: (no name) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - (no file)
  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
  O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
  O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
  O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
  O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
  O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
  O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
  O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
  O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1204226382\ee\AOLSoftware.exe
  O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
  O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
  O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
  O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
  O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
  O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
  O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
  O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: Intelligent Wireless Utility.lnk = C:\Program Files\Intelligent\Common\RaUI.exe
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
  O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
  O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
  O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
  O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
  O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
  O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
  O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
  O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
  O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
  O20 - AppInit_DLLs: avgrsstx.dll
  O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
  O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
  O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
  O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
  O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
  O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
  O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
  O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
  O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
  O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
  O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
  O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
  O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
  O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
  
  --
  End of file - 10280 bytes

  0
• chiaz

  October 2008 edited October 2008

  Please run HijackThis and place a tick by the following entries:
  O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
  O3 - Toolbar: (no name) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - (no file)
  
  
  Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer. Let me know how everything is running now.
  
  
  Also, I notice you have two anti-virus programs on your computer: AVG and Avast. You should not run two AV programs simultaneously as it will cause performance issues and maybe even cause conflicts. I suggest you remove one from startup, you may still keep that as an on-demand scanner. Just remember not to run both at the same time. If you need more elaboration about this, let me know.

  0
• brewsa

  October 2008 edited October 2008

  Hi Chiaz
  
  Thanks very much. It seems to have speeded up, little by little with every little thing i done, but i was just still worried my computer was still infected and me not knowing how to find out if it is.
  
  Regarding my AV programs, which do you suggest i run? I've actually got AVG, Avast, Spybot, spywareblaster and superanti-spyware. I don't even know what they actually do, but what would you sugest I keep/un-install or is there something else you would recommend?

  0
• chiaz

  October 2008 edited October 2008

  I can't tell you which AV is better, but I personally use Avast.
  
  You can run Spybot S&D, spywareblaster and SuperAntiSpyware at the same time, no problems here.
  
  
  Let's give a deeper check of your system. Please go HERE to run Panda ActiveScan 2.0

  • Click the big green Scan now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Once the scan is completed, please hit the notepad icon next to the text Export to:
  • Save it to a convenient location such as your Desktop
  • Post the contents of the ActiveScan.txt in your next reply.

  0
• brewsa

  October 2008 edited October 2008

  Hello again
  
  Ok so i un-installed AVG. And the text from the scan is below. thanks
  
  ;***********************************************************************************************************************************************************************************
  ANALYSIS: 2008-10-08 12:48:46
  PROTECTIONS: 1
  MALWARE: 1
  SUSPECTS: 0
  ;***********************************************************************************************************************************************************************************
  PROTECTIONS
  Description Version Active Updated
  ;===================================================================================================================================================================================
  avast! antivirus 4.8.1229 [VPS 081008-0] 4.8.1229 Yes Yes
  ;===================================================================================================================================================================================
  MALWARE
  Id Description Type Active Severity Disinfectable Disinfected Location
  ;===================================================================================================================================================================================
  03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Jackie\Desktop\ComboFix.exe[32788R22FWJFW\catchme.cfexe]
  ;===================================================================================================================================================================================
  SUSPECTS
  Sent Location ^;
  ;===================================================================================================================================================================================
  ;===================================================================================================================================================================================
  VULNERABILITIES
  Id Severity Description ^;
  ;===================================================================================================================================================================================
  182048 HIGH MS07-069 ^;
  176382 HIGH MS07-057 ^;
  170906 HIGH MS07-045 ^;
  170904 HIGH MS07-043 ^;
  164913 HIGH MS07-033 ^;
  160623 HIGH MS07-027 ^;
  150253 HIGH MS07-016 ^;
  120815 HIGH MS06-022 ^;
  ;===================================================================================================================================================================================

  0
• brewsa

  October 2008 edited October 2008

  OK, new problem just started a few hours ago. I can't log into either yahoo or hotmail. Haven't tried from another computer yet. Most of the rest of internet seems to work fine apart from amazon took a long time and i mean a long time to open, though was fine getting around amazon (normal speed). I obviously managed to log in here and have done on a not very well known jobs site as well.
  
  Thanks again

  0
• brewsa

  October 2008 edited October 2008

  Now add to this, can't access download.com

  0
• chiaz

  October 2008 edited October 2008

  Give MBAM a full system scan again.
  
  * Next download HostsXpert Here and unzip it to your desktop.
  Next, open HostsXpert

  • Make sure that the "make hosts writable?" button in the upper right corner is checked
  • Now, click on 'back up Host files'
  • then click on 'Restore orginal host files'
  • Finally, close HostsXpert.
  • Reboot your PC.

  
  Let me know whether access has been restored to all those sites you mentioned.

  0
• brewsa

  October 2008 edited October 2008

  Hiya
  
  That didn't work.
  
  When i open the yahoo page most of it (not all loads properly), then when i click on the "mail" button "a248.e.akamai.net" appears in the bottom left and it just doesn't load. I can also open hotmail, but when you put a username and password in nothing happens in that a blank screen comes up and its trying to load but never does.
  
  Any gueses?

  0
• chiaz

  October 2008 edited October 2008

  Your new problem doesn't appear to be malware-related.
  
  I suggest you post about it here:
  http://icrontic.com/forum/forumdisplay.php?f=22
  
  
  Sorry I couldn't help more.

  0
• brewsa

  October 2008 edited October 2008

  OK, thanks very much for all your help

  0
• chiaz

  October 2008 edited October 2008

  Glad to be of assistance! The help you received here was free.
  
  This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.
  
  If you are not the user who started this thread, you must start your own Thread instead

  _______________________________

  Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 and fold for a cure.

  0