|
Is my computer possesed ? do i need an Exorcism? HLT log incl.
|
|
Member
|
8. September 2008 @ 21:07 |
Link to this message
|
My computer has been running stupid slow. On-line scans and AVG free show no problems. Dont's see anything weird on HJT either (but i'm no expert).AD-AWARE wont even load, i get an error code that asks me if "i'm logged in as a diff user".And i keep geting "low virtual memory" warnings. Maybe i just need to switch some paging files to a portion of my (partitioned x3) hard drive w/more available memory, but i'm not sure how.
I'd appreciate any advice.
Thanks in advsnce. Heres an HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 8:48:35 PM, on 9/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/2006...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resourc...lscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1140654306906
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Share...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1140654255531
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housec...ivex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
|
|
Advertisement
|
|
|
|
AfterDawn Addict
|
9. September 2008 @ 00:43 |
Link to this message
|
Hi narcismo,
Your HJT Log is Clean? That don?t always mean you don?t have infection but it?s a pretty good sign that it?s not a bad infection..
From your description, it sounds like you have just ran out of free space in your C partition.
How many HD's do you have? How many partitions do you have on the operating drive?? 3?
Go to Start > My Computer > right click the drives (partitions) > Properties
And see how much free space you have on each of the Drives (partitions)
You need bare minimum of 15 percent free space on your operating partition and that is pushing it.
If one of the other partitions has enough free space then you can move the My Documents folder to it and free up the space on your operating partition.
If you have only one HD, I wouldn?t recommend moving the paging file that would just slow you down.
You are able to resize the partition with programs like Partition Magic or Acronis Disk Director (not free). I don?t know of a free partitioning software that really works..
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
Member
|
9. September 2008 @ 20:50 |
Link to this message
|
|
Thanks 2OG,
I'll give it a shot and post back.
|
Member
|
9. September 2008 @ 23:33 |
Link to this message
|
2OL,
It seems I still have about 47% of avail memory on my C:Drive and alot more on D & E. Sounds like i should be OK. But when i look at my "System Moniter" I see HUGE spikes in my paging file usage. Not sure why. Does'nt seem that I should have to re-allocate any virt-memory? I'm confused. If you check my 1st post, I mentioned about the ERROR msg i got from the AD-AWARE program. I just can't make sence of it.
I need the advice of an elder! LOL! Seriously!
Thanks in advance.
Eric
P.S.
My machine froze for nearly 2 min while posting this msg.
That can't be good. An easy fix woulg be great...but I'm "lacing them up" just in case. Thanks again
This message has been edited since posting. Last time this message was edited on 9. September 2008 @ 23:42
|
AfterDawn Addict
|
10. September 2008 @ 00:00 |
Link to this message
|
Hi narcismo,
Sometimes these new malwares can hide pretty well.
Let?s do a little pre-cleaning and then dig a little deeper to see if we can pull something out of the woodwork. 
(1.) Please download ATF Cleaner by Atribune & save it to your desktop.
Double-click ATF-Cleaner.exe to run the program.
? Under Main "Select Files to Delete" choose: Select All.
? Click the Empty Selected button.
? If you use Firefox browser click Firefox at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? If you use Opera browser click Opera at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? Click Exit on the Main menu to close the program.
(2.) Please download Malwarebytes' Anti-Malware to your desktop.
? Double-click mbam-setup.exe and follow the prompts to install the program.
? At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
? If an update is found, it will download and install the latest version.
? Once the program has loaded, select Perform full scan, then click Scan.
? When the scan is complete, click OK, then Show Results to view the results.
? Be sure that everything is checked, and click Remove Selected. << Do Not Forget This!!
? When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
? Please post contents of that file in your next reply.
(3.) Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.
Quote:
"%userprofile%\desktop\combofix.exe" /killall
ComboFix will begin to run DO NOTHING while this is happening.
? It will kill a few processes and disconnect you from the internet.
? If by chance it stops prematurely you can re-establish your internet connection by restarting your computer.
? This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.
If when it's completed you can not get on the internet just reboot the computer
Post the log from comboFix for me located in c:\comboFix.txt, MBAM Log and a fresh HijackThis Log.
2OG
Edit: I finally noticed that you are using an out dated HJT. This may be the reason we can't see the malware.. Update your HijackThis to the latest version.
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 10. September 2008 @ 00:03
|
Member
|
10. September 2008 @ 00:05 |
Link to this message
|
Wow youre fast 2OL!
I just moved some paging files. I'm going to power down/re-start ,check my machine , then post back. Choi!
Thankyou again.
|
AfterDawn Addict
|
10. September 2008 @ 00:11 |
Link to this message
|
|
I'm OLD not SLOW!
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
Member
|
10. September 2008 @ 00:44 |
Link to this message
|
Thanks again for your reply,
Did'nt work.I run ATF Cleaner regulary, I'm currently running "malewarebytes". Thats as far as got! Slow Down! lol!
P.S. I run AVG-Free 8.0,Spy-Bot, Windows Defender, and Ad-Aware.
Do any of these progs "argue with each other" ? My computer seemd to slow around the time i downloaded AVG 8.0.
Have'nt got to the "Combo Fix " part yet...please bare with me , my machine is freezing like an ESKIMO!
when this scann is done I'll post back.
This message has been edited since posting. Last time this message was edited on 10. September 2008 @ 01:19
|
Member
|
10. September 2008 @ 05:58 |
Link to this message
|
Hello again 2OL,
Heres the Malewarebytes log...not comforting.
Malwarebytes' Anti-Malware 1.27
Database version: 1134
Windows 5.1.2600 Service Pack 3
9/10/2008 5:28:26 AM
mbam-log-2008-09-10 (05-28-26).txt
Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 75387
Time elapsed: 1 hour(s), 12 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\VSAdd-in (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\DAP (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\DAP\LOG (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\DAP\NTLOG (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system\DRIVER\Copy (5) of 3.txt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\cygwin1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\Driver32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\New Text Document (5).txt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\servicesmgr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\DRIVER\winlogon.dll (Trojan.Agent) -> Quarantined and deleted successfully.
P.S.
Cannot run Combofix ?
I get an error report from "SPYBOT" telling me that the prog cannot be re-named(in my registry)?
Would that be because I moved "MY DOCUMENTS" folder to a diff partition? I've since moved it back and will try again.
Thanks again.
This message has been edited since posting. Last time this message was edited on 10. September 2008 @ 06:02
|
Member
|
10. September 2008 @ 06:32 |
Link to this message
|
|
Nope...No Dice.
I've tried multiple times.It downloads but won't run.
ERROR: Windows cannot locate C:/Documents and settings...,blah,blah,blah.
I have the patience of Job, but this is driving me nuts!lol Will a "R0OTKIT REVEALER" log give you the info you need? I think i'm going stirr-crazy!I hate computers!lol Can i fix this thru "RegEdit" ?
Thanks again for all your help. Sorry i know I'm rambling. lol
This message has been edited since posting. Last time this message was edited on 10. September 2008 @ 07:03
|
AfterDawn Addict
|
10. September 2008 @ 16:31 |
Link to this message
|
You?re running scanners that will not allow ComboFix to run?
Uninstall Combofix by going to Start > Run > type in combofix /u then OK
Download a fresh ComboFix from Here
Turn off (disable) Spybot Teatimer, windows defender, AVG8 and any other scanners that you have running.
Run ComboFix from the Desktop by double clicking the icon.
If that works post a Log?
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
Member
|
10. September 2008 @ 18:01 |
Link to this message
|
2OG,
Wow! What a difference! My machine is working much better.
Heres my ComboFix log.
ComboFix 08-09-10.02 - Administrator 2008-09-10 17:42:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.99 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\2.txt
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\url(3).dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NTLOAD
((((((((((((((((((((((((( Files Created from 2008-08-10 to 2008-09-10 )))))))))))))))))))))))))))))))
.
2008-09-10 05:46 . 2008-09-10 05:46 <DIR> d-------- C:\Documents and Settings\My Documents\DVDFab
2008-09-10 05:46 . 2008-09-10 05:46 <DIR> d-------- C:\Documents and Settings\My Documents\Downloads
2008-09-10 05:46 . 2008-09-10 05:46 <DIR> d-------- C:\Documents and Settings\My Documents\candystand
2008-09-10 05:45 . 2008-09-10 05:45 <DIR> d-------- C:\Documents and Settings\My Documents\Updater5
2008-09-10 05:45 . 2008-09-10 05:45 <DIR> d-------- C:\Documents and Settings\My Documents\PcSetup
2008-09-10 05:45 . 2008-09-10 05:45 <DIR> d-------- C:\Documents and Settings\My Documents\NeroVision
2008-09-10 05:45 . 2008-09-10 05:45 <DIR> dr------- C:\Documents and Settings\My Documents\My Videos
2008-09-10 05:45 . 2008-09-10 05:45 <DIR> dr------- C:\Documents and Settings\My Documents\my pictures
2008-09-10 05:45 . 2008-09-10 05:46 <DIR> dr------- C:\Documents and Settings\My Documents\My Music
2008-09-10 05:45 . 2008-09-10 05:46 <DIR> dr------- C:\Documents and Settings\My Documents
2008-09-10 00:29 . 2008-09-10 00:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-10 00:28 . 2008-09-10 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-10 00:28 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-10 00:28 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-08 20:43 . 2008-09-08 20:43 3,918 --a------ C:\Documents and Settings\My Documents\cc_20080908_204346.reg
2008-08-29 20:41 . 2008-08-29 20:41 9,400 --a------ C:\Documents and Settings\My Documents\cc_20080829_204113.reg
2008-08-16 21:34 . 2008-08-16 21:34 31,464 --a------ C:\Documents and Settings\My Documents\cc_20080816_213414.reg
2008-08-16 20:55 . 2008-09-10 17:10 <DIR> d-------- C:\Program Files\Panda Security
2008-08-16 20:55 . 2008-08-17 22:22 <DIR> d-------- C:\Program Files\Mozilla ActiveX Control v1.7.12
2008-08-16 20:55 . 2008-08-16 20:55 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-08-16 20:55 . 2008-08-16 20:55 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall
2008-08-15 20:42 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-15 20:41 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-10 21:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-10 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-30 00:26 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-17 23:19 --------- d-----w C:\Program Files\Elaborate Bytes
2008-08-17 02:24 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-08-10 00:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Graboid Inc
2008-08-06 00:33 78,568 ----a-w C:\Documents and Settings\My Documents\cc_20080805_203321.reg
2008-08-03 01:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ImgBurn
2008-08-01 13:27 99,648 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-07-31 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-07-29 04:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-07-27 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Graboid Inc
2008-07-27 01:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MozillaControl
2008-07-27 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Launcher
2008-07-21 12:11 24,392 ----a-w C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2008-07-13 00:09 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-13 00:09 --------- d-----w C:\Program Files\AVG
2008-07-13 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-07-12 03:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2007-06-02 02:54 87,608 ----a-w C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
2007-06-02 02:54 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2004-03-11 17:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2008-05-28 22:48 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052820080529\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2008-04-13 143360]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-29 1235736]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 11:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2008-08-01 09:32 2161600 C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]
--a------ 2008-01-07 12:26 390568 C:\WINDOWS\system32\Macromed\SHOCKW~1\SWHELP~2.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"E:\\program files\\iTunes\\iTunes.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-29 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-12 76040]
S3 AntiAries;Anti Aries Helper Driver;C:\WINDOWS\System32\drivers\RKL15.tmp.sys [2007-03-21 7680]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f25ef62-5f41-11d9-a9dc-806d6172696f}]
\shell\play\command - "C:\Program Files\iTunes\iTunes.exe" /playCD "%L"
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-POINTER - point32.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\f3licwif.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-10 17:47:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
.
**************************************************************************
.
Completion time: 2008-09-10 17:52:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-10 21:51:54
Pre-Run: 12,063,322,112 bytes free
Post-Run: 12,033,540,096 bytes free
146 --- E O F --- 2008-09-03 20:54:57
|
AfterDawn Addict
|
10. September 2008 @ 18:07 |
Link to this message
|
That's looking much better.... :)
Now post a fresh HJT Log and we'll pick up the trash.
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
Member
|
10. September 2008 @ 18:11 |
Link to this message
|
Here you go.
Logfile of HijackThis v1.99.1
Scan saved at 6:09:39 PM, on 9/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/2006...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resourc...lscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1140654306906
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Share...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1140654255531
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housec...ivex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
|
AfterDawn Addict
|
10. September 2008 @ 18:25 |
Link to this message
|
Congratulations narcismo, your log now looks CLEAN 
Things to do:
Install a firewall ? see below.
Update your Java ? see below.
Here are a few other things you must do once you are completely clean:
1. Time for some housekeeping
Please download the OTMoveIt2 by OldTimer
? Save it to your desktop.
? Run the tool by clicking on the icon.
? Click the Cleanup button.
? The tools that we used as well as this one will be removed from your system.
2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
? Under Main "Select Files to Delete" choose: Select All.
? Click the Empty Selected button.
? If you use Firefox browser click Firefox at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? If you use Opera browser click Opera at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? Click Exit on the Main menu to close the program.
3. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
Update Java using JavaRa
Please download JavaRa and unzip it to your desktop.
? Double-click on JavaRa.exe to start the program.
? Click on Remove Older Versions to remove the older versions of Java installed on your computer.
? Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
Then download and install Java Runtime Environment (JRE) 6 Update 7.
4. Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
? Go to Start > Programs > Accessories > System Tools and click "System Restore".
? Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
? Then go to Start > Run and type: Cleanmgr
? Click "OK"
Select the drive you want to clean usually C:
Click OK
When it completes the scan:
? Click the "More Options" Tab.
? Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
5. Defragment your Hard Drive
1.Open My Computer.
2.Right-click the local disk volume that you want to defragment, and then click Properties.
3.On the Tools tab, click Defragment Now.
4.Click Defragment.
And here are some tips to reduce the potential for spyware infection in the future:
It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Two good ones are are Comodo Free and Online Armor Personal Firewall
I have recently changed my firewall to Comodo, love it and highly recommend it..
Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.
I strongly recommend installing the following applications:
To protect your machine, I highly recommend BOClean. It?s FREE and it works. I use it and never get one of these infections.
In order to prevent the installation of Trojans and Malware on your machine:
Download and install: Comodo BOClean
Comodo BOClean protects your computer against trojans, malware and other threats. It constantly scans your system in the background and intercepts any recognized trojan activity. The program can ask the user what to do, or run in unattended mode and automatically shutdown and remove any suspected trojan application. Comodo BOClean currently supports more than 60,000 malware items and offers automatic daily updates. Other features include updating via network share, tamper protection and stealth mode.
? Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
See Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.
And also see TonyKlein's good advice
So how did I get infected in the first place?
Enjoy your clean computer. Any questions?
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
Member
|
10. September 2008 @ 18:33 |
Link to this message
|
Good to go. Justice is served and Evil is Punished!
Thanks again 2OL :-)
You're offically on my Christmas list !
This message has been edited since posting. Last time this message was edited on 10. September 2008 @ 18:34
|
AfterDawn Addict
|
10. September 2008 @ 18:47 |
Link to this message
|
Just remember me in your will.. 
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
Member
|
10. September 2008 @ 19:01 |
Link to this message
|
|
You are THE MAN !
Thanks again.
|
Member
|
20. September 2008 @ 23:43 |
Link to this message
|
Dear Kind Sir (2OG),
Thanks 4 all your help. My machine worked fine for a day or two. Now it's back to it's former "retarded-state" .......slow and slower. I did everything you asked(updated JAVA added COMODO & Blaster). And it seemed to work fine ...temporalliy. But Not 4 Long. ANY RECOMENDATIONS ?
NARCISMO
|
AfterDawn Addict
|
22. September 2008 @ 04:17 |
Link to this message
|
Did you defrag your drive? A badly fragmented drive can slow you down.
How much free space is left on your drive? A drive that has ran out of free space can slow you.
Also, check out Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
Member
|
22. September 2008 @ 21:44 |
Link to this message
|
Hi 2OG,
All de-fragged, all anti-mal-ware installed and updated, except for the fire-wall(had issues w/ COMODO in the past), unless you can suggest a good alternative. Other than that...all is well.
I did just update HJT. Heres a new log if you'd like. It looks OK to me. See What you think.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:48 PM, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/2006...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resourc...lscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1140654306906
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Share...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1140654255531
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housec...ivex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 5588 bytes
This message has been edited since posting. Last time this message was edited on 22. September 2008 @ 22:21
|
AfterDawn Addict
|
22. September 2008 @ 23:38 |
Link to this message
|
@ narcismo,
Your HJT Log is as clean as an Old Maid?s parlor. No problems showing.
I have found that AVG8 uses a lot of resources and tends to slow you down.
Of the 3 top Free AV?s I find Avira AntiVir to be the best and this is my recommendation.
.
Avira AntiVir ? The free version has Nag screens but they can be stopped by googling avira antivir nag disable ? This is the best of the free AV?s and better than most of the paid. I like it better than any AV that I?ve tried/tested, Free or Paid.
You really do need a 3rd party Firewall. I suggest Comodo Pro for those that are a little geeky but for the average user I suggest Zone Alarm.
Download ZoneAlarm Free
It is a very good Firewall and does the job. I am the IT Guy for a Hotel Chain and use it on 90 percent of the machines.
Here is another suggestion that you might look into. Read about it and make the decision:
HOST file ?> MVPS hosts HERE. This is a very important layer for blocking Malware. It blocks Bad Sites from being able to get into your computer ? MVPS Host file only, for the novice and a combination of MVPS and HP Hosts with HostXpert.exe to manage them for the geeks.
Note: in most cases a large HOSTS file (over 135 kb) tends to slow down the machine. This only occurs in W2000/XP/Vista. Windows 98 and ME are not affected.
To resolve this issue (manually) open the "Services Editor"
? Go to > Start > Run (type) "services.msc" (no quotes)
? Scroll down to "DNS Client", Right-click and select: Properties
? Click the drop-down arrow for "Startup type"
? Select: Manual, or Disabled (recommended) click Apply/Ok and restart.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
Member
|
24. September 2008 @ 20:56 |
Link to this message
|
Hi 2OG,
Sorry for the late reply. I've been really busy latley. I just checked my available memory. No problems there. Plenty of avail memory now. Reallocated some programs to other partitions and I'm good to go.
I'll take your advice(which has been fantastic,ZEN BUDDA like!) on the AV prog and firewall....and thanks again for all your help.
narcismo
|
AfterDawn Addict
|
24. September 2008 @ 21:38 |
Link to this message
|
You?re welcome, narcismo.
Run a tight ship and keep the bugs out. 
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
Advertisement
|
|
|
Member
|
25. September 2008 @ 21:59 |
Link to this message
|
2OG,
Just a quick shout-out. I took your advice and switched AV and Firewall progs.
Heres a partial log of AVIR ANTIVIR that i just ran.....
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{6CB69BF9-A23A-4F16-A580-68923DB64035}\RP112\A0017647.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '490c35c8.qua'!
C:\System Volume Information\_restore{6CB69BF9-A23A-4F16-A580-68923DB64035}\RP113\A0017928.dll
[DETECTION] Contains recognition pattern of the W95/Blumblebee.1738 Windows virus
[NOTE] The file was moved to '490c35ed.qua'!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\'
Begin scan in 'E:\'
End of the scan: Thursday, September 25, 2008 21:28
Used time: 36:15 Minute(s)
The scan has been done completely.
4444 Scanning directories
183201 Files were scanned
2 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
2 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
183197 Files not concerned
1130 Archives were scanned
2 Warnings
2 Notes
Again...excellent advice!
You are THE MAN! Thanks 1,000,000.
narcismo
This message has been edited since posting. Last time this message was edited on 25. September 2008 @ 22:08
|
