Disappearing Files, Hijacked IE6 Browser, etc. etc

Well, lets try something a bit more powerful. Download the Killbox from here and save it to the desktop.

• Double-click the KillBox icon on your desktop to open it
• Click the folder icon next to the address window, browse to and select the WCAU Old Timers. file in your userprofile.
• Once the filename/filepath appear in the address window, select the Delete on Reboot option.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

The file should be gone upon reboot.

 

In case it’s action-specific, here’s what the "PendingFile….." window said:

PendingFileRenameOperations Registry data has been removed by external process!

Had to reboot manually.

That <expletive deleted> file still lives!

 

Time for the big gun. Download ComboFix by sUBs from here, saving the file to your desktop.


Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


I don't expect to get that file on this run, but I want to see if there's something else hiding prior to going after it.

 

During ComboFix, this error message appeared:

Registry Error = Cannot export TEMPoo (I would think this should read TEMP00—but what do I know?): Error opening file. There may be a disk or file system error.

Although Search showed Combofix.txt in C:\, I couldn’t find it, so I saved the Search item into the C:\Combofix folder.

I noticed a new folder in C:\ ----QooBox, which is part of ComboFix. Is this something I should be concerned about? (I’m not sure I want to leave ComboFix on my machine; it looks too dangerous.)

I hope you find something.

Here’s the ComboFix log:

ComboFix 08-08-01.05 - Norman 2008-08-02 20:47:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.213 [GMT -4:00]
Running from: C:\Documents and Settings\Norman\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix.txt
C:\WINDOWS\Downloaded Program Files\Quarantine

.
((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.

2008-08-02 17:21 . 2008-08-02 17:21 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-08-02 17:17 . 2008-08-02 17:17 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-08-02 17:14 . 2008-08-02 17:14 <DIR> d-------- C:\Program Files\McAfee
2008-08-01 14:03 . 2008-08-01 14:03 <DIR> d-------- C:\!KillBox
2008-07-29 16:18 . 2008-07-29 16:18 <DIR> d-------- C:\Program Files\GiPo@Utilities
2008-07-29 16:18 . 2008-07-29 16:18 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2008-07-27 17:44 . 2008-04-13 22:06 144,384 --------- C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-07-27 17:44 . 2008-04-14 00:10 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-07-27 17:40 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\005701_.tmp
2008-07-25 16:59 . 2008-07-25 16:59 <DIR> d-------- C:\Program Files\COMODO
2008-07-25 16:59 . 2008-07-25 16:59 <DIR> d-------- C:\Documents and Settings\Norman\Application Data\Comodo
2008-07-25 16:59 . 2008-07-25 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-07-25 16:59 . 2008-07-25 16:59 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-07-25 16:59 . 2008-07-25 16:59 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-07-25 16:59 . 2008-07-25 16:59 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-07-19 14:00 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-18 14:56 . 2008-07-18 14:56 <DIR> d-------- C:\Program Files\Secunia
2008-07-04 17:44 . 2008-07-04 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-04 17:44 . 2004-04-27 05:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-02 21:08 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 21:08 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-02 02:15 --------- d-----w C:\Program Files\MICROSOFT MONEY BACKUPS
2008-07-31 00:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-26 20:16 99 ----a-w C:\Documents and Settings\Norman\wcau_ot02.bat
2008-07-18 21:23 --------- d-----w C:\Program Files\Verizon Online
2008-07-18 18:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-13 21:11 --------- d-----w C:\Program Files\MSECache
2008-07-11 21:24 --------- d-----w C:\Program Files\Java
2008-07-10 21:24 --------- d-----w C:\Program Files\SiteAdvisor
2008-07-05 19:21 --------- d-----w C:\Documents and Settings\Norman\Application Data\SiteAdvisor
2008-07-05 01:54 59,405 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_07_04_21_05_42_small.dmp.zip
2008-07-04 20:15 --------- d-----w C:\Program Files\Lavasoft
2008-07-04 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-04 20:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-02 19:26 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-02 19:26 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-02 19:26 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-16 08:31 7,808 ----a-w C:\WINDOWS\system32\drivers\psi_mf.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 01:23 --------- d-----w C:\Documents and Settings\Norman\Application Data\Malwarebytes
2008-06-05 01:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-04 21:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-27 01:15 36,888 ----a-w C:\Documents and Settings\Norman\Application Data\GDIPFONTCACHEV1.DAT
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2006-09-15 21:19 439,296 ------w C:\Documents and Settings\Norman\remote.exe
2006-02-08 22:08 138 ------w C:\Program Files\INSTALL.LOG
2006-01-19 22:50 13 ------w C:\Program Files\money2.QIF
2006-01-19 22:17 202,845 ------w C:\Program Files\MONEY.QIF
2004-11-01 05:00 1,236,235 ------w C:\Documents and Settings\Norman\ie-ads.reg
2004-11-01 05:00 1,202,566 ------w C:\Documents and Settings\Norman\ie-ads-uninst.reg
2003-09-28 22:00 10,228 ------w C:\Documents and Settings\Norman\install.bat
2007-10-18 01:17 23 --sha-w C:\WINDOWS\system32\fbad0_g.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ADUserMon "= "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2008-04-27 15:48 147456]
"HTpatch "= "C:\WINDOWS\htpatch.exe" [2002-10-30 05:40 28672]
"SiS Windows KeyHook "= "C:\WINDOWS\system32\keyhook.exe" [2004-05-12 17:22 249856]
"THGuard "= "C:\Program Files\TrojanHunter 4.7\THGuard.exe" [2007-06-23 00:19 1102848]
"TrueImageMonitor.exe "= "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 02:52 2595480]
"AcronisTimounterMonitor "= "C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-14 03:02 905056]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-02 15:26 1232152]
"Acronis Scheduler2 Service "= "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-14 02:55 140568]
"Ad-Watch "= "C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe" [2008-07-04 16:30 2468200]
"COMODO Firewall Pro "= "C:\Program Files\COMODO\Firewall\cfp.exe" [2008-07-25 16:59 1655552]
"Logitech Utility "= "Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]

C:\Documents and Settings\Norman\Start Menu\Programs\Startup\
Secunia PSI (RC3).lnk - C:\Program Files\Secunia\PSI (RC3)\psi.exe [2008-06-16 05:03:08 663552]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=C:\WINDOWS\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune 3.6.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MagicTune 3.6.lnk
backup=C:\WINDOWS\pss\MagicTune 3.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--------- 2001-07-09 06:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe "=

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2007-10-22 21:27]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-02 15:26]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-07-25 16:59]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-07-25 16:59]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-02 15:26]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-02 15:26]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-02 15:26]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-07-23 18:52]
R2 TryAndDecideService;Acronis Try And Decide Service;C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2007-09-14 04:01]
S2 0066451217711838mcinstcleanup;McAfee Application Installer Cleanup (0066451217711838);C:\WINDOWS\TEMP\006645~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\system32\drivers\ASUSHWIO.sys [2000-03-29 10:17]
S3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-06-16 04:31]

*Newly Created Service* - 0066451217711838MCINSTCLEANUP
*Newly Created Service* - AD-WATCH_REAL-TIME_SCANNER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
Contents of the 'Scheduled Tasks' folder

2008-07-16 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\utilities\SpeedUpMyPC\SpeedUpMyPC.exe []

2008-05-17 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
- c:\utilities\SpeedUpMyPC\SpeedUpMyPC.exe []
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Norman\Application Data\Mozilla\Firefox\Profiles\cpi4wa1g.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 20:53:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath "= "\ "\" "
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\COMODO\Firewall\cfpupdat.exe
.
**************************************************************************
.
Completion time: 2008-08-02 21:05:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-03 01:05:14

Pre-Run: 30,557,245,440 bytes free
Post-Run: 30,466,797,568 bytes free

191 --- E O F --- 2008-01-09 20:46:56

________________________________________________________________________

And here’s the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:52 PM, on 8/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Secunia\PSI (RC3)\psi.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\explorer.exe
C:\UTILITIES\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ADUserMon] "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe "
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe "
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe "
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - Startup: Secunia PSI (RC3).lnk = C:\Program Files\Secunia\PSI (RC3)\psi.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: www.bitdefender.com
O15 - Trusted Zone: http://www.ewido.net
O15 - Trusted Zone: usa.kaspersky.com
O15 - Trusted Zone: www.pandasecurity.com
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: *.vanguard.com
O15 - Trusted Zone: *.verizon.net
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120085952027
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143236299578
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: McAfee Application Installer Cleanup (0066451217711838) (0066451217711838mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\006645~1.EXE (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 9029 bytes

Thanks.

 

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINDOWS\005701_.tmp
Rootkit::
C:\Documents and Settings\Norman\My Documents\WCAU Old Timers.
Suspect::[22]
C:\WINDOWS\system32\fbad0_g.dll

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


Please note that I have instructed CFScript to collect a file for analysis. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned file. Please copy the path shown in the prompt and paste it into the box, then click Send.
Thanks!

 

For some reason, it took three attempts before Combofix made a log file. Up to that point, each time I ran it, the Comifix window would just close.

Anyhow, the .zip file was sent, and receipt was acknowledged.

Here’s Combofix.txt

ComboFix 08-08-01.05 - Norman 2008-08-03 17:58:07.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.211 [GMT -4:00]
Running from: C:\Documents and Settings\Norman\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Norman\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\005701_.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Norman\My Documents\WCAU Old Timers.
.
---- Previous Run -------
.
C:\Documents and Settings\Norman\My Documents\WCAU Old Timers.
C:\WINDOWS\005701_.tmp

.
((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.

2008-08-02 17:21 . 2008-08-02 17:21 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-08-02 17:17 . 2008-08-02 17:17 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-08-02 17:14 . 2008-08-02 17:14 <DIR> d-------- C:\Program Files\McAfee
2008-08-01 14:03 . 2008-08-01 14:03 <DIR> d-------- C:\!KillBox
2008-07-29 16:18 . 2008-07-29 16:18 <DIR> d-------- C:\Program Files\GiPo@Utilities
2008-07-29 16:18 . 2008-07-29 16:18 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2008-07-27 17:44 . 2008-04-13 22:06 144,384 --------- C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-07-27 17:44 . 2008-04-14 00:10 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-07-26 16:13 . 2008-07-26 16:16 99 --a------ C:\Documents and Settings\Norman\wcau_ot02.bat
2008-07-25 16:59 . 2008-07-25 16:59 <DIR> d-------- C:\Program Files\COMODO
2008-07-25 16:59 . 2008-07-25 16:59 <DIR> d-------- C:\Documents and Settings\Norman\Application Data\Comodo
2008-07-25 16:59 . 2008-07-25 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-07-25 16:59 . 2008-07-25 16:59 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-07-25 16:59 . 2008-07-25 16:59 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-07-25 16:59 . 2008-07-25 16:59 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-07-19 14:00 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-18 14:56 . 2008-07-18 14:56 <DIR> d-------- C:\Program Files\Secunia
2008-07-04 17:44 . 2008-07-04 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-04 17:44 . 2004-04-27 05:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 19:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-03 19:50 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-02 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-02 02:15 --------- d-----w C:\Program Files\MICROSOFT MONEY BACKUPS
2008-07-31 00:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-18 21:23 --------- d-----w C:\Program Files\Verizon Online
2008-07-18 18:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-13 21:11 --------- d-----w C:\Program Files\MSECache
2008-07-11 21:24 --------- d-----w C:\Program Files\Java
2008-07-10 21:24 --------- d-----w C:\Program Files\SiteAdvisor
2008-07-05 19:21 --------- d-----w C:\Documents and Settings\Norman\Application Data\SiteAdvisor
2008-07-05 01:54 59,405 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_07_04_21_05_42_small.dmp.zip
2008-07-04 20:15 --------- d-----w C:\Program Files\Lavasoft
2008-07-04 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-04 20:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-02 19:26 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-02 19:26 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-16 08:31 7,808 ----a-w C:\WINDOWS\system32\drivers\psi_mf.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 01:23 --------- d-----w C:\Documents and Settings\Norman\Application Data\Malwarebytes
2008-06-05 01:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-04 21:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-27 01:15 36,888 ----a-w C:\Documents and Settings\Norman\Application Data\GDIPFONTCACHEV1.DAT
2006-09-15 21:19 439,296 ------w C:\Documents and Settings\Norman\remote.exe
2006-02-08 22:08 138 ------w C:\Program Files\INSTALL.LOG
2006-01-19 22:50 13 ------w C:\Program Files\money2.QIF
2006-01-19 22:17 202,845 ------w C:\Program Files\MONEY.QIF
2004-11-01 05:00 1,236,235 ------w C:\Documents and Settings\Norman\ie-ads.reg
2004-11-01 05:00 1,202,566 ------w C:\Documents and Settings\Norman\ie-ads-uninst.reg
2003-09-28 22:00 10,228 ------w C:\Documents and Settings\Norman\install.bat
2007-10-18 01:17 23 --sha-w C:\WINDOWS\system32\fbad0_g.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-02_21.02.52.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-07-11 13:41:36 345,656 ----a-w C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ADUserMon "= "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2008-04-27 15:48 147456]
"HTpatch "= "C:\WINDOWS\htpatch.exe" [2002-10-30 05:40 28672]
"SiS Windows KeyHook "= "C:\WINDOWS\system32\keyhook.exe" [2004-05-12 17:22 249856]
"THGuard "= "C:\Program Files\TrojanHunter 4.7\THGuard.exe" [2007-06-23 00:19 1102848]
"TrueImageMonitor.exe "= "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 02:52 2595480]
"AcronisTimounterMonitor "= "C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-14 03:02 905056]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-02 15:26 1232152]
"Acronis Scheduler2 Service "= "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-14 02:55 140568]
"Ad-Watch "= "C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe" [2008-07-04 16:30 2468200]
"COMODO Firewall Pro "= "C:\Program Files\COMODO\Firewall\cfp.exe" [2008-07-25 16:59 1655552]
"Logitech Utility "= "Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]

C:\Documents and Settings\Norman\Start Menu\Programs\Startup\
Secunia PSI (RC3).lnk - C:\Program Files\Secunia\PSI (RC3)\psi.exe [2008-06-16 05:03:08 663552]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=C:\WINDOWS\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune 3.6.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MagicTune 3.6.lnk
backup=C:\WINDOWS\pss\MagicTune 3.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe "=

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2007-10-22 21:27]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-02 15:26]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-07-25 16:59]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-07-25 16:59]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-02 15:26]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-02 15:26]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-02 15:26]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-07-23 18:52]
R2 TryAndDecideService;Acronis Try And Decide Service;C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2007-09-14 04:01]
S2 0066451217711838mcinstcleanup;McAfee Application Installer Cleanup (0066451217711838);C:\WINDOWS\TEMP\006645~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\system32\drivers\ASUSHWIO.sys [2000-03-29 10:17]
S3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-06-16 04:31]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
Contents of the 'Scheduled Tasks' folder

2008-07-16 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\utilities\SpeedUpMyPC\SpeedUpMyPC.exe []

2008-05-17 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
- c:\utilities\SpeedUpMyPC\SpeedUpMyPC.exe []
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 18:03:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath "= "\ "\" "
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-03 18:09:03 - machine was rebooted [Norman]
ComboFix-quarantined-files.txt 2008-08-03 22:08:53
ComboFix2.txt 2008-08-03 01:05:33

Pre-Run: 30,327,988,224 bytes free
Post-Run: 30,324,981,760 bytes free

178 --- E O F --- 2008-01-09 20:46:56


HihackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:44 PM, on 8/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Secunia\PSI (RC3)\psi.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\explorer.exe
C:\UTILITIES\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ADUserMon] "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe "
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe "
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe "
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - Startup: Secunia PSI (RC3).lnk = C:\Program Files\Secunia\PSI (RC3)\psi.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: www.bitdefender.com
O15 - Trusted Zone: http://www.ewido.net
O15 - Trusted Zone: usa.kaspersky.com
O15 - Trusted Zone: www.pandasecurity.com
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: *.vanguard.com
O15 - Trusted Zone: *.verizon.net
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120085952027
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143236299578
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: McAfee Application Installer Cleanup (0066451217711838) (0066451217711838mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\006645~1.EXE (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 8980 bytes

 

Please verify if the WCAU Old Timers. file is now gone.

Copy the following command and paste it into a command window, then hit Enter.

attrib -r -h -s C:\WINDOWS\system32\fbad0_g.dll

Now delete the file C:\WINDOWS\system32\fbad0_g.dll
You can also delete C:\!Killbox and Killbox.exe
Is this the batch you made? C:\Documents and Settings\Norman\wcau_ot02.bat
You can delete it as well.

Please give me an update on system performance/issues.

 

Obituary

The file, WCAU Old Timers., quietly left this world after a long bout with deletus impossibilitis. R.I.P.!

Thank you!

I’d be interested to know how it was done. Was it malware?

(I do, in fact, have a document labeled WCAU Old Timers.doc, but I don’t know of any relationship)

Killbox is gone, but I still have Combofix.exe on the desktop, and wonder if I should keep it (although I’d prefer downloading it again, and saving it in C:\Utilities).

Is it safe to assume I should get rid of the associated zip file?

Yes, the file wcau_ot02.bat was one of three I had made before you showed me how to paste into a command window. They were in my Batch folder, and I don’t know why only this one showed up.

Regarding my remaining issues, here are the ones I’m presently aware of:

I went through the large icons/small icons routine again, and for the most part there’s been an improvement concerning the desktop icons on startup However, sometimes they’ll appear without the shortcut arrows, which load a couple of seconds later.

Sometimes, the icons disappear momentarily, or for several seconds, while programs are loading.

The desktop icons frequently go generic when closing programs, but closing programs
isn’t the only time this happens. It takes10-15 seconds before they return to normal.

There’s been no change in the one-at-a-time file loading in certain folders.

Some programs that used to open in an acceptable amount of time, now take more time than I’m used to.

Are they just getting fat?

Finally, the partial opening and delayed completion of opening some programs is still present.

That’s all I can remember.

 

Please right click the folder C:\Qoobox and select Send To>Compressed (Zipped) Folder. It will create a C:\Qoobox.zip file. Please upload the zip file to my submission channel for analysis. Leave a link back to this topic.

Thanks!

Now we can uninstall ComboFix. Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. You can also delete C:\Qoobox.zip

Lets run an online scan to make sure something hasn't been overlooked. Scan with Kaspersky WebScanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log here if anything is reported infected.

 

Pardon my ignorance, but….

I accessed your submission channel through the link you provided. The browse button allowed me to choose the file you wanted uploaded, but I couldn’t get past that point.

How do I transfer the file to where it belongs in the analysis window?

I ran Kaspersky, and saved the report, but there were no problems.

There were a large number of programs/files that were marked "lockedâ€, including AVG, so I assume it was OK to have allowed AVG to run during the scan.

(For some reason, when I tried maximize Kaspersky, the only thing that happened was the window shifted sideways, but remained the same size.)

Before I attended to your post, I had the following occur:

Ad-Aware opened as the free version. Apparently, "˜something’ had deleted my license key. When I opened OE to paste it from the e-mail confirmation, the entry was missing.

I had to get the key online. (Either I couldn’t locate my printed copy, or I never made one).

Ad-Aware seems OK now.

Next, McAfee Site Advisor stopped working in both IE and Firefox. When I downloaded both files again, everything seemed OK for awhile, but now it doesn’t work in IE at all, and only partially in Firefox.

I’ll play with it later.

Today’s my day for scanning, so I’ll let you know if anything shows up.

Thanks.

 

RE: submission channel

After browsing to and selecting the file, click the Send File button.


Locked files are not uncommon. Generally just means they are in use and cannot be accessed for scanning.

Very odd behavior with Ad-aware and Site Advisor. Very odd indeed. Haven't a clue as to what might have caused it either.


Lets run another check on things. Download GMER

Right click and extract it to it's own folder on the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "˜Show All’.
Click on Scan.
When the scan has completed, click Copy and paste the results (if any) into this topic.

 

Qoobox.zip sent OK. Problem the first time was, I hadn’t clicked on "Open" in the Browse window, because I thought it would open the file, rather than enter it into the space provided. Obviously, I should have known better.

About a week ago, I had tried running ewido, but the database files wouldn’t download.

Today, I deleted all the ewido references I could find, and started from scratch.

The files downloaded OK, and the scan went flawlessly. No junk.

I deleted all references to QooBox, and uninstalled ComboFix.

Not all references to ComboFix went away, but, hopefully, I got all the leftovers.

Here’s the GMER log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-08 17:12:03
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xAAFECC8C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwConnectPort [0xAAFEC3C4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateFile [0xAAFEC8A0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateKey [0xAAFED43C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreatePort [0xAAFEC080]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSection [0xAAFEE084]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xAAFECE72]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateThread [0xAAFEBC50]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDeleteKey [0xAAFED0B8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDeleteValueKey [0xAAFED268]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDuplicateObject [0xAAFEBB02]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwLoadDriver [0xAAFEDD24]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenFile [0xAAFECAB0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenProcess [0xAAFEB822]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenSection [0xAAFEC744]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenThread [0xAAFEB9AA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRenameKey [0xAAFED7F2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xAAFEC196]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSecureConnectPort [0xAAFEDAE6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetSystemInformation [0xAAFEDEC4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetValueKey [0xAAFED602]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwShutdownSystem [0xAAFEC5D2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSystemDebugControl [0xAAFEC638]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateProcess [0xAAFEBF4A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateThread [0xAAFEBE18]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F83F7710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F83F7770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F83F7990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F83F7950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F83F7950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F83F7770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F83F7710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F83F7990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F83F7990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F83F7950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F83F7770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F83F7710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F83F7950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F83F7990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F83F7710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F83F7770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F83F7710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F83F7770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F83F7950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F83F7990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F83F7950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F83F7770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F83F7710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F83F7950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F83F7990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F83F7710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F83F7770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip NSDriver.sys (Driver for Ad-Watch network monitoring/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\cmdHlp \Device\CFPTcpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\cmdHlp \Device\CFPUdpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\cmdHlp \Device\CFPRawFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp NSDriver.sys (Driver for Ad-Watch network monitoring/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp NSDriver.sys (Driver for Ad-Watch network monitoring/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp NSDriver.sys (Driver for Ad-Watch network monitoring/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\cmdHlp \Device\cmdhlp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\cmdHlp \Device\CFPIpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.14 ----

 

Click Start>Run and type or paste the following command then hit enter to uninstall gmer.

%systemroot%\gmer_uninstall.cmd

Restart the computer to complete the uninstallation of gmer.

Now, download mbr.exe and save it to your desktop.
Double click mbr.exe to run it.
It will open and close very quickly and produce the file mbr.log on the desktop.
Double click mbr.log to open it and post it's contents.

 

Here’s the MBR log you asked for:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 62 !

 

Both gmer and mbr.exe show the system is free of rootkits. Give me an update on the system's performance please.

 

As far as I can tell, nothing has changed, but I’ll reprise what my machine is doing.

The first thing I notice, of course, is the behavior of the desktop icons on startup.

Sometimes, they load reasonably OK; at other times, they may not appear all at once, or the shortcut arrows are late. Sometimes, the icons disappear momentarily while the System Tray loads, and sometimes it isn’t so momentarily.

At times, when I close a program, the icons go generic, and are very slow to return to normal. Sometimes, this happens when I click on something within a program.

There are several folders that load one-at-a-time. In the case of the Desktop folder, the shortcuts appear all at once, but the icons in front of each one loads one-at-time. I can’t do anything until they’re finished loading.

I’m still experiencing the partial opening of some programs; then the rest of the program appears.

As far as the slow program openings I mentioned are concerned, it seems that in at least some cases the reason is that the programs have become bloated, an admission I read on the Ad-Aware site.

Spybot S&D had an upgrade about a week ago, and now the program opens even slower (much slower) than before.

When I run a scan in Ad-Aware, the progam takes a long time to close. No problem when closing the program without scanning.

That’s all the ‘usual’ behavior I can recall.

On a couple of occasions, recently, I’ve seen a second AVG icon in the system tray, and when I’d run the mouse over it, it says AVG is scanning. I didn’t do it, and I have no scheduled scans.

When I opened the program, it wasn’t scanning. Go figure.

Just this evening, when I came back to my machine, there was a small error window from Secunia, saying “scan aborted.” I have no idea what it was talking about.

For all I know, there may be other goodies just waiting to happen.

I don’t believe any of the above is normal behavior, so I hope there are still things we can try.

By the way, this is Page 149 in Word, including all the logs.

I’m pretty close to that book!

Thanks.

P.S. After this post, it occurred to me that the symptoms I'm experiencing might be the result of program conflicts.

Your thoughts?

 

Hi catswhisker! I hadn't forgotten about you ........ just giving thought to what else to try (not having much luck either).

This could very well be a factor. You might do some troubleshooting with msconfig. Let me know if you need specifics on accomplishing that.

You should also consider running the Full Tests at PC Pitstop. It can sometimes be a good troubleshooting tool.

 

Thanks for the tip regarding PC Pitstop.

It came up with seven recommended fixes, but I haven’t succeeded in doing anything about most of them.

I’ll list them, in case you can determine whether any are likely to be contributing factors:

Change Internet Receiver Buffer (not tried).

Defragment File (Drive C: )

Defragment Drive C:

(I downloaded a recommended program called Disk MD—I assume it would work on this and the previous item—but it was so fast, I’m not sure it did anything. I’ll run a defrag progam later today, although I doubt it’s necessary)

Reduce System Restore Capacity (done)

Update Update Network adapters Driver. (not tried)

Update Display Adapter Driver (There are two of these, both with the same version number).

I’ve been trying, unsuccessfully, to access the "Download Graphics Drivers" link on the ATI site. I hope this isn’t another example of a similar problem some time ago, which I believe was caused by a bad guy, but I don’t remember.

PC Pitstop supposedly has its own links for all these items, but I guess I just don’t know how to use them…..I’ll keep trying, though.

Ad-Aware came up with 3 pieces of malware yesterday, and since they were all instances of the same object, but with different paths, I quarantined them.

Having had the same item show up the last time I ran Ad-Aware a week ago (which I deleted), I ran Ad-Aware a second time, and it came up with one more example of the same thing, so I’m not sure if these are really malware.

I restored them, and ran my other anti-malware programs, but they didn’t detect anything.

Ad-Aware is beginning to behave somewhat like ZA did, so I’m going to see if I can find a free substitute to try.

This post is to update you with the latest doings, and I intend to pursue the fixes, hopefully with more luck than I’ve had so far.

But—you mentioned msconfig--and I’d like to try playing with it, but I’m leary of doing it on my own.

As mentioned previously, I disabled two system tray items, and one program which I’m reasonably certain doesn’t need to load at startup.

So, if you’d be kind enough to walk me through, I’d appreciate it

Thanks, once again.

 

From what you mentioned RE: PC Pitstop, the only thing(s) I would consider possibly suspect would be drivers. Stick to the manufacturer's website for drivers whenever possible. What are the specs for the graphics card?

What is being detected by Ad-aware? It's likely the lsdelete service behind the ZA-like behavior. You could probably disable that during normal computing and start it only when ready to scan.

Just in from a couple days away and have some catching up to do, so I'll look over the last log you posted, likely tomorrow evening, and make some recommendations for msconfig then.

 

Hi, Dave…

I have some good news and some bad news about PC Pitstop.

The good news is that I was finally able to get at the Graphics Driver Update page.

The version number was actually higher than PC Pitstop said, and I got a bonus because the Software also had an upgrade. Very nice.

However, it was mostly downhill from there.

After making some changes, I ran another PC Pitstop scan, and the results weren’t very encouraging.

Regarding the Internet Receive Buffer, I downloaded a program called TCP Optimizer, which apparently automatically makes any necessary Registry changes, depending on settings.

PC Pitstop says I’m still at the default setting, even though I had reset to 6 MB/s, which may still be low. I reset it again to 10 MB/s. (Of course, I may not know how to use the program properly. (I have a “thing” about programs which require online help).

I defragged, and Pitstop says I’m at 11% (down from 21%). That can’t be right.

I had reduced the System Restore capacity to 2001 MB, but Pitstop says I’m at 6719 (down from 9422).

Finally, I discovered that Pitstop was way off regarding the Network adapter version.

The one on my machine is a higher number than Pitstop says, and their recommended version number was higher than the latest one from SiS.

In fact, using Search and System Information, I found out that I have the latest driver installed, although I have no recollection of updating it.

I had downloaded the installation file, and I’m certainly glad I didn’t mess with it.

The unkindest cut of all was Pitstop telling me that my machine ranks in the lowest 39%;
worse than the 36% after the first scan.

(But, al least, I’m down to 4 fixes from 7, according to Pitstop).

I don’t think I’m going to do anything further.

That’s all regarding PC Pitstop.

You asked about what Ad-Aware had found, and I must have had Settings wrong, because the files were no longer in quarantine, and must have been deleted.

(It’s possible, I suppose, that some of the problems with the program result from the absence of these files, assuming they were really necessary).

I made some changes, so I’ll let you know what those files were next time I run Ad-Aware.

What’s lsdelete service, and how would I disable it?

For a while, when I closed and tried to reopen Firefox, I’d get a message that it was already open, and only one instance could be opened at a time. (Not true).

It asked if I wanted to close Firefox, to which I said OK, and then I could reopen it.

After a while, I uninstalled Firefox, and reinstalled the same version, and the problem cleared up. Except for once.

I also discovered that at least one of my ad-ons had stopped working. It had to do with handling PDFs. Since I rarely use PDF, I wasn’t aware the ad-on had stopped working until it appeared the next time I wanted to view a PDF file, using the new Firefox.

I’ll save any further comments ‘til after we work on msconfig.

(Except to mention a new oddity. Since I installed the upgraded Graphics software, the icon goes generic, but I don’t know what causes it.

When I restart the machine, it’s OK, but it changes before long).

I sure have strange things happen, don’t I?

Edit: Here are the specs for my Graphics card:

ATI Radeon 9550 (Series X1050) AGP, w/256 MB memory.

Also, it occurred to me in the shower today, that PC Pitstop’s change in percentage was actually an “improvement.” (I have a problem getting past 1+1=3)

I must add that programs are opening much slower than before, and more of them open in “pieces.”

I was hoping to wait until after msconfig, but this ain’t good.