Slowed Computer - Stuck on Military time

sniper9228 · 24th August 2008

I recently switched my firewalls from pc tools to sunbelt. My computer was going fast, until redswoosh got on my system. I removed redswoosh but still a little slow. I look at the applications in sunbelt and I see au_ listed. In process manager au_ is not listed. Spybot will not launch. DSS does not work right on this computer so here is my hjt log. It may be ok, but let me know if anything suspicious.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:55 PM, on 8/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Windows folder: C:\WINDOWS
System folder: C:\WINDOWS\SYSTEM32
Hosts file: C:\WINDOWS\System32\drivers\etc\hosts

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE
C:\Program Files\Plustek\OpticBook 3600\Am32Plus.exe
C:\Program Files\KWorld Multimedia\PVR-TV 883 Utilities\C8XRCtl.exe
C:\Program Files\Cepstral\bin\CepstralLicSrv.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (filesize 62080 bytes, MD5 C11F6A1F61481E24BE3FDC06EA6F7D2A)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (filesize 1562448 bytes, MD5 32981ADE44D01EC2A9EBC2E311291707)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (filesize 509328 bytes, MD5 F921D875A1CBD69A6A462BA2514BC831)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (filesize 328752 bytes, MD5 59CF5BF6684AFCF906CADAD39B4214DE)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (filesize 193136 bytes, MD5 E54EE9B974837C208B923EC94E5F30FD)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (filesize 321120 bytes, MD5 FF29E3FB75E7726EE002B65A9F2D4A6E)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.5470\swg.dll (filesize 651760 bytes, MD5 91DE317969CDCDA3EE6883926BB6381B)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (filesize 546320 bytes, MD5 CEE1BE1DA21300208D07FBEAE9EA2B51)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (filesize 321120 bytes, MD5 FF29E3FB75E7726EE002B65A9F2D4A6E)
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand203000030.dll (filesize 1061384 bytes, MD5 5531E318C6B22D96D80AB20665008455)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (filesize 546320 bytes, MD5 CEE1BE1DA21300208D07FBEAE9EA2B51)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (filesize 193136 bytes, MD5 E54EE9B974837C208B923EC94E5F30FD)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE (filesize 949376 bytes, MD5 5323FFAD4055DB50F1656D79C83C1DDF)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun (filesize 61440 bytes, MD5 E1E71D80D078C576801B6FE2A29FCF85)
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" (filesize 623992 bytes, MD5 5369A26E89C68E9420AE9B9CC6305834)
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" (filesize 1037736 bytes, MD5 7A7D4000C9443350383F0FDFB7A1C12E)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exeC:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (filesize 144784 bytes, MD5 6AB4C021FBD36DC6764924C312428D97)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (filesize 50472 bytes, MD5 AC23F48F1D9A886D4786A7F8F17CD656)
O4 - HKCU\..\Run: [L08AXLRD_42333862] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m (filesize 351000 bytes, MD5 783F7F39A134AA5A9FE78A137980190B)
O4 - Global Startup: Action Express (OpticBook 3600).lnk = ?
O4 - Global Startup: Remote Control.lnk = C:\Program Files\KWorld Multimedia\PVR-TV 883 Utilities\C8XRCtl.exe (filesize 57344 bytes, MD5 1279746C4AFAC185FEA43E1442E5B893)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm (filesize 277 bytes, MD5 C4A7DACCF223AD5D6D7024F4F3F3BE3E)
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm (filesize 1892 bytes, MD5 5F161957F895BC40C1146B0B4A07397C)
O8 - Extra context menu item: &Links to this page - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gbacklinks.htm (filesize 838 bytes, MD5 065D3C2556520FB36F0F80E82FC1545F)
O8 - Extra context menu item: &Similar pages - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gsimilar.htm (filesize 841 bytes, MD5 63B9CFE5118A01410A36CD25A6DD8060)
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm (filesize 394 bytes, MD5 995487A1A44D95C386EBF51143D96293)
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm (filesize 16017 bytes, MD5 005C6139F60CF6954FF72CDAB97244D8)
O8 - Extra context menu item: Look up in Mr&Check... - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tumrcheck.htm (filesize 791 bytes, MD5 6093D6934E8B9BC5843F8B52A39D9E5E)
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm (filesize 72 bytes, MD5 02A3713396DEA33FE8012D08C5D8C010)
O8 - Extra context menu item: Open in &new window - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuofinw.htm (filesize 414 bytes, MD5 CBC257A1D6F3408D1E8C7116891BC099)
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?9b84e1f4472344c9b64b37b0968547c4
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?9b84e1f4472344c9b64b37b0968547c4
O8 - Extra context menu item: Search with &Google - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gsearch.htm (filesize 1053 bytes, MD5 DE414A57BB66DA2D33419937722C83B1)
O8 - Extra context menu item: Show page from the &cache - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gcache.htm (filesize 839 bytes, MD5 1E22D6B0CE83D42D9ADE391B8CBE0E13)
O8 - Extra context menu item: Translate this page with Google - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gtranslate.htm (filesize 863 bytes, MD5 BC6EC4E43D1580FAD4B28E0D0BAC2BCF)
O8 - Extra context menu item: View old version at &archives.org - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuarch.htm (filesize 796 bytes, MD5 FFFAAD0E6F6AD0C2024E7C0ACBF539F6)
O8 - Extra context menu item: Zoom &out - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.htm (filesize 708 bytes, MD5 FF8002F1AA57BA3D5A288AE8E0F4C7AB)
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm (filesize 453 bytes, MD5 3B41FB543FD623946F1E440BA0E03200)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (filesize 509328 bytes, MD5 F921D875A1CBD69A6A462BA2514BC831)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (filesize 509328 bytes, MD5 F921D875A1CBD69A6A462BA2514BC831)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL (filesize 40424 bytes, MD5 7FC19DA1DC70C78D2FBD7A1D10942051)
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL (filesize 293656 bytes, MD5 A18A1027B4671E1BF279361A1CF53448)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (filesize 1562448 bytes, MD5 32981ADE44D01EC2A9EBC2E311291707)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (filesize 1562448 bytes, MD5 32981ADE44D01EC2A9EBC2E311291707)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1219349541797
O17 - HKLM\System\CCS\Services\Tcpip\..\{399AAD98-92A5-466A-AC51-E7E148FF1D91}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs:
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeC:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cepstral License Server - Cepstral, LLC - C:\Program Files\Cepstral\bin\CepstralLicSrv.exeC:\Program Files\Cepstral\bin\CepstralLicSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeC:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exeC:\Program Files\Eset\nod32krn.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exeC:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exeC:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exeC:\WINDOWS\System32\TuneUpDefrag Service.exe

--
End of file - 14228 bytes

sniper9228 · 24th August 2008

I finally got spybot to launch by disabling the network and enabling it again.

**Geri** · 24th August 2008

Hi

Quote:

I see au_ listed.

Would that be au_.exe?

Geri

sniper9228 · 24th August 2008

I believe so, in sunbelt, it is just listed as au_

**Geri** · 24th August 2008

Hi
OK lets run a scan and see if anything shows in it.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Geri

sniper9228 · 24th August 2008

I did modify the host file like a couple months ago, so I dont think it really is corrupt.
____

SmitFraudFix v2.339

Scan done at 12:53:52.16, Sun 08/24/2008
Run from C:\Documents and Settings\Jordan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE
C:\Program Files\Plustek\OpticBook 3600\Am32Plus.exe
C:\Program Files\KWorld Multimedia\PVR-TV 883 Utilities\C8XRCtl.exe
C:\Program Files\Cepstral\bin\CepstralLicSrv.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jordan\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 hk.digitaltrends.com
127.0.0.1 microsoft.com.org
127.0.0.1 www.www.microsoft.com.org
127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jordan

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jordan\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jordan\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "
"LoadAppInit_DLLs"=dword:00000001

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: SiS 900-Based PCI Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 208.67.222.222
DNS Server Search Order: 208.67.220.220

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1494C3FE-CC9B-47C9-B977-B4B14FB4FACE}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{399AAD98-92A5-466A-AC51-E7E148FF1D91}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1494C3FE-CC9B-47C9-B977-B4B14FB4FACE}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{399AAD98-92A5-466A-AC51-E7E148FF1D91}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1494C3FE-CC9B-47C9-B977-B4B14FB4FACE}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{399AAD98-92A5-466A-AC51-E7E148FF1D91}: NameServer=208.67.222.222,208.67.220.220

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

**Geri** · 24th August 2008

Hi
OK that shows OK.

You can delete smitfraudfix.exe and these files.
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\SYSTEM32\Process.exe
C:\WINDOWS\SYSTEM32\SrchSTS.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\VACFix.exe

Which application in sunbelt is au_ listing can you give me any more details on it. can you post a screen shot of it?

Geri

sniper9228 · 24th August 2008

http://i36.tinypic.com/iz0tue.jpg

My clock currently says 18:29. I changed it to hh:mm:ss tt for a 12-hour clock
now it says 06:30

Some of my start menu settings are reset. Things that are listed in My Recent Documents which I had to put on my start menu again, cannot be found when doing windows search.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:38:44 PM, on 8/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Plustek\OpticBook 3600\Am32Plus.exe
C:\Program Files\KWorld Multimedia\PVR-TV 883 Utilities\C8XRCtl.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Cepstral\bin\CepstralLicSrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.5470\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand203000030.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [L08AXLRD_42333862] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Action Express (OpticBook 3600).lnk = ?
O4 - Global Startup: Remote Control.lnk = C:\Program Files\KWorld Multimedia\PVR-TV 883 Utilities\C8XRCtl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Links to this page - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gbacklinks.htm
O8 - Extra context menu item: &Similar pages - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gsimilar.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Look up in Mr&Check... - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tumrcheck.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Open in &new window - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuofinw.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?9b84e1f4472344c9b64b37b0968547c4
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?9b84e1f4472344c9b64b37b0968547c4
O8 - Extra context menu item: Search with &Google - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gsearch.htm
O8 - Extra context menu item: Show page from the &cache - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gcache.htm
O8 - Extra context menu item: Translate this page with Google - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\gtranslate.htm
O8 - Extra context menu item: View old version at &archives.org - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuarch.htm
O8 - Extra context menu item: Zoom &out - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1219349541797
O17 - HKLM\System\CCS\Services\Tcpip\..\{399AAD98-92A5-466A-AC51-E7E148FF1D91}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs:
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cepstral License Server - Cepstral, LLC - C:\Program Files\Cepstral\bin\CepstralLicSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 10877 bytes

sniper9228 · 25th August 2008

My clock is now set to 12 hour. I still can't get the 0 out of like 08:29 pm. My start menu is set to defaults. My original settings like said before disappeared.

Why is my clock like this? malware could be

**Geri** · 25th August 2008

Hi
OK lets run Combofix and see what it says.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

Close all open programs and windows
Double click combofix.exe and follow the prompts.
Vista users right click Combofix.exe and select Run As Administrator.
When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Geri

sniper9228 · 25th August 2008

My clock is still messed up.

--------
ComboFix 08-08-23.03 - Jordan 2008-08-25 0:49:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1089 [GMT -4:00]
Running from: C:\Documents and Settings\Jordan\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

http://www.comodo.com
.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-24 12:53 . 2008-08-24 18:34 89,600 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-08-24 12:53 . 2008-08-14 21:52 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-08-24 12:53 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-24 02:54 . 2008-08-24 02:54 <DIR> d-------- C:\WINDOWS\Sun
2008-08-23 02:40 . 2008-08-23 02:40 <DIR> d-------- C:\Program Files\VDMSound
2008-08-22 16:52 . 2008-08-22 16:52 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-08-22 16:52 . 2008-07-16 09:57 269,736 -ra------ C:\WINDOWS\system32\drivers\SbFw.sys
2008-08-22 16:52 . 2008-06-21 04:54 65,576 --a------ C:\WINDOWS\system32\drivers\SbFwIm.sys
2008-08-21 00:32 . 2008-08-21 00:32 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\Thinstall
2008-08-21 00:30 . 2008-08-21 00:31 <DIR> d-------- C:\Program Files\Microsoft Works 9.0
2008-08-19 16:25 . 2008-08-19 16:36 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\LimeWire
2008-08-16 02:23 . 2008-08-16 02:23 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\Template
2008-08-16 02:21 . 2008-08-16 02:23 114 --a------ C:\Documents and Settings\Jordan\Application Data\wklnhst.dat
2008-08-15 02:30 . 2008-08-15 02:30 335 --a------ C:\WINDOWS\mozregistry.dat
2008-08-15 02:19 . 2008-08-15 23:07 <DIR> d-------- C:\Program Files\Mozilla Sunbird
2008-08-15 01:26 . 2008-08-15 01:26 <DIR> d-------- C:\Program Files\Colorizer
2008-08-14 21:08 . 2008-08-14 21:09 <DIR> d-------- C:\Program Files\AIM6_Cloned
2008-08-14 20:58 . 2008-08-14 21:04 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-08-14 20:58 . 2008-08-14 20:59 <DIR> d-------- C:\Program Files\AIM6
2008-08-14 12:20 . 2008-08-22 13:48 <DIR> d-------- C:\Program Files\PC Tools Firewall Plus
2008-08-13 12:26 . 2008-08-13 12:27 <DIR> d-------- C:\Program Files\Google
2008-08-12 21:35 . 2008-08-12 21:35 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-08-12 21:34 . 2008-08-12 21:36 <DIR> d-------- C:\Program Files\Windows Live
2008-08-12 21:22 . 2008-04-14 05:42 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-12 21:19 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 21:19 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-10 18:24 . 2008-08-10 18:24 <DIR> d-------- C:\Program Files\VLC Media Player
2008-08-10 18:24 . 2008-08-10 18:24 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\vlc
2008-08-10 16:17 . 2008-08-10 16:17 <DIR> d-------- C:\Program Files\DuoWeather.com
2008-08-09 15:26 . 2008-08-14 21:08 <DIR> d-------- C:\Program Files\Unlocker
2008-08-08 22:32 . 2008-08-24 02:26 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\U3
2008-08-02 19:25 . 2008-08-10 19:44 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-30 23:14 . 2008-07-30 23:14 <DIR> d-------- C:\Program Files\Cepstral
2008-07-30 19:49 . 2008-07-30 19:49 <DIR> d-------- C:\WINDOWS\speech
2008-07-29 23:15 . 2008-07-29 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Arovax
2008-07-29 20:43 . 2008-07-29 20:43 <DIR> d-------- C:\Program Files\Copernic Desktop Search 2
2008-07-25 14:34 . 2008-07-25 14:34 <DIR> d-------- C:\Program Files\p-nand-q.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 23:04 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-24 07:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-24 06:46 --------- d-----w C:\Documents and Settings\Jordan\Application Data\uTorrent
2008-08-24 01:08 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-24 01:08 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-22 20:50 --------- d-----w C:\Documents and Settings\Jordan\Application Data\Comodo
2008-08-22 18:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-22 06:12 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-08-21 00:27 --------- d-----w C:\Program Files\Opera
2008-08-16 02:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-15 01:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-15 01:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\acccore
2008-07-24 17:02 --------- d-----w C:\Program Files\Java
2008-07-23 01:14 --------- d-----w C:\Documents and Settings\Jordan\Application Data\ViStart
2008-07-22 21:42 --------- d-----w C:\Documents and Settings\Jordan\Application Data\MiniDm
2008-07-22 00:36 --------- d-----w C:\Documents and Settings\Jordan\Application Data\PCToolsFirewallPlus
2008-07-21 18:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-20 23:23 --------- d-----w C:\Documents and Settings\Jordan\Application Data\IEPro
2008-07-20 20:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-07-20 20:18 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-20 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-20 00:30 --------- d-----w C:\Documents and Settings\Jordan\Application Data\FogelSoft
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-13 20:49 --------- d-----w C:\Program Files\ESET
2008-07-09 18:34 --------- d-----w C:\Program Files\uTorrent
2008-07-09 18:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-09 01:16 --------- d-----w C:\Program Files\Trend Micro
2008-07-08 17:30 --------- d-----w C:\Program Files\Plustek
2008-07-08 17:30 --------- d-----w C:\Program Files\Common Files\iMpacct
2008-07-08 02:46 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:09 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-22 19:20 355,584 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-06-21 02:52 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-03 03:46 10,276,864 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-06-03 03:22 413,696 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-06-03 03:21 306,688 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-06-03 03:11 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-06-03 03:11 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-06-03 03:11 180,224 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-06-03 03:09 552,960 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-06-03 03:08 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-06-03 03:04 245,760 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-06-03 03:02 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-06-03 02:59 3,500,352 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-06-03 02:48 2,120,832 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-06-03 02:33 48,128 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-06-03 02:29 348,160 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-06-03 02:28 23,040 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-06-03 02:28 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-06-03 02:22 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-06-03 02:21 557,056 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-06-03 01:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2008-05-29 13:28 28,416 ----a-w C:\WINDOWS\system32\uxtuneup.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-08-06 11:21 50472]
"L08AXLRD_42333862"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 07:00 351000]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-13 12:27 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-06-20 22:52 949376]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SbUsb AudCtrl"="sbusbdll.dll" [2004-07-08 22:27 119296 C:\WINDOWS\system32\sbusbdll.dll]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Action Express (OpticBook 3600).lnk - C:\Program Files\Plustek\OpticBook 3600\Am32Plus.exe [2008-07-08 13:31:26 143360]
Remote Control.lnk - C:\Program Files\KWorld Multimedia\PVR-TV 883 Utilities\C8XRCtl.exe [2008-06-21 16:34:01 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TV Remote Control.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TV Remote Control.lnk
backup=C:\WINDOWS\pss\TV Remote Control.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PVR Agent]
--a------ 2005-12-21 20:37 754176 C:\Program Files\V-Stream Multimedia\PVR Plus\TVR\Scheduled.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"L08AXLRD_3149228"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m

R1 SbFw;SbFw;C:\WINDOWS\system32\drivers\SbFw.sys [2008-07-16 09:57]
R1 sbhips;Sunbelt HIPS Driver;C:\WINDOWS\system32\drivers\sbhips.sys [2008-06-21 04:54]
R2 Cepstral License Server;Cepstral License Server;C:\Program Files\Cepstral\bin\CepstralLicSrv.exe [2007-03-15 13:54]
R2 CX88XBAR;KWorld TV88X Crossbar;C:\WINDOWS\system32\drivers\CX88XBAR.sys [2005-01-18 19:58]
R2 SbPF.Launcher;SbPF.Launcher;C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [2008-07-30 10:36]
R2 SPF4;Sunbelt Personal Firewall 4;C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [2008-07-30 10:36]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\sbfwim.sys [2008-06-21 04:54]
R3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\system32\DRIVERS\sbusb.sys [2004-07-27 05:31]
S3 LinksysFVNETusbl(AR)(R);Linksys FVNETusbl(AR)(R) Service for Instant Wireless USB Network Adapter ver.2.6;C:\WINDOWS\system32\DRIVERS\vnetusbl.sys [2004-03-09 19:48]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-06-22 15:20]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys [2002-02-20 02:34]
S3 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 05:42]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{6219a632-6581-11dd-8da7-0006251a577a}]
\Shell\AutoRun\command - H:\LaunchU3.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-25 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]

2008-08-25 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Jordan\Application Data\Mozilla\Firefox\Profiles\13qz9ofz.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\NPOFF12.DLL
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 00:53:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ASFWHide]
"ImagePath"="\??\C:\DOCUME~1\Jordan\LOCALS~1\Temp\ASFWHide"
.
Completion time: 2008-08-25 0:55:45
ComboFix-quarantined-files.txt 2008-08-25 04:55:39

Pre-Run: 109,705,359,360 bytes free
Post-Run: 109,705,097,216 bytes free

209 --- E O F --- 2008-07-08 22:27:01

sniper9228 · 25th August 2008

When I restarted, it still said 01 until I switched it to h:mm:ss tt now it works.

Whether the computer is any faster now as before the malware hit, I don't know.

**Geri** · 25th August 2008

Hi

Quote:

When I restarted, it still said 01 until I switched it to h:mm:ss tt now it works.

OK Good.

Quote:

Some of my start menu settings are reset. Things that are listed in My Recent Documents which I had to put on my start menu again, cannot be found when doing windows search.

I see you're using ViStart, you may have to reconfigure it? I don't use it so I don't know anything about it.

Please delete combofix it's not showing anything.

Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing the infected files there as well.

Lets get a on-line scan.

Please do an online scan with Kaspersky WebScanner

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

The program will launch and then begin downloading the latest definition files:
Under Scan on the left side.Click on My Computer
This will start the program and scan your system.
Click the “Scan Report” On the left side.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
Save the text file to your desktop.
Copy and paste that information in your next post.

Please post the Kaspersky results.

Geri

sniper9228 · 25th August 2008

Before you posted this reply to me, I deleted the read-only Combofix desktop icon. When I read your post, I redownloaded the file so I could run your uninstall command.

Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing the infected files there as well.

"This looks like it will restart the entire process." Is it running it again or not? I get the blue command prompt window when running ComboFix /u If it so, do I need to disable my firewall and antivirus again?

sniper9228 · 25th August 2008

I was talking about my xp start menu, but its working again.

I will run Kaspersky WebScanner in the morning.