got a trojan and want to start over - format my hardrive!

voyagerfan99

Master of Turning Things Off and Back On Again
Staff member
Yes, disable avast and delete the current copy of Combofix on your desktop. Go back to the Combofix download link and download a new, updated copy. Then drag the script over Combofix.
 

johnb35

Administrator
Staff member
To disable avast right click on the icon in the system tray and click on "avast shields control" and then click on "until computer is restarted"

Also I disable the sandbox setting. open avast, click on additional protection, click on autosandbox, Click on settings, uncheck the box.
 

kona

Member
I've had trouble getting back on the internet a few time tonight.
no connection message..........then after rebooting a few times - got here.

Can't get past "Completed Stage 2" of the Combofix.

I deleted the copy of combofix I had.......went back here and downloaded it again.......copied the killall file box you told me to do - ran notepad pasted the killall file there - saved it as CFScript.txt as instructed. Then I drug it to the newly downloaded Combofix Icon and everything looked good (yes I disabled Avast until next startup). But..........I only get to the stage 2 and everything seems to stop.....no little activity light blinking on my tower. I left it alone for a good 40 minutes or so....just to see..........but nothing. So I tried to shut down but couldn't......had to push the restart button .....again. Should I just go ahead and download the ESET online scanner and go from there?????
 

kona

Member
POSTING ESETlog txt file

C:\Documents and Settings\MSI\Application Data\Sun\Java\Deployment\cache\6.0\16\3f154490-1b452189 multiple threats
C:\Documents and Settings\MSI\Application Data\Sun\Java\Deployment\cache\6.0\47\1f21f96f-11b3f1f2 Java/Agent.DU trojan
C:\Documents and Settings\MSI\Application Data\Sun\Java\Deployment\cache\6.0\62\23146dfe-5a21eb55 a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Documents and Settings\MSI\Local Settings\temp\Av-test.txt Eicar test file
C:\Documents and Settings\ROSEMARY\Application Data\Mozilla\Firefox\Profiles\zv8tm84t.default\extensions\[email protected]\components\PlaySushiFF.dll probably a variant of Win32/Adware.Gamevance.AG application
C:\qoobox\Quarantine\C\Documents and Settings\MSI\Local Settings\Application Data\12eba47c\U\[email protected] probably a variant of Win32/Kryptik.JDI trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0370980.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0371003.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0372003.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0372089.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0372094.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0372105.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0372106.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0372110.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0373105.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0373106.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0373112.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0373115.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0374105.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0374106.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0374110.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0375105.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0375106.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0375110.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0375129.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0375130.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0376128.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0376129.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0376133.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0376138.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0376139.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0377141.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0377142.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0378141.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0378142.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0378146.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0379141.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0379142.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0379146.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0379159.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0379160.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0380159.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0380160.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0380163.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0380164.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0381159.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0381160.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1605\A0381165.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1606\A0381208.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1606\A0381209.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1606\A0381212.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1606\A0382208.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1606\A0382209.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1606\A0382213.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1606\A0383208.sys Win32/Rootkit.Agent.NUT trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1606\A0383209.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{F5CEBD4F-577E-4B5C-8DC3-14A76DB1F8A9}\RP1606\A0384277.ini a variant of Win32/Sirefef.CH trojan
 
Last edited:

johnb35

Administrator
Staff member
Ok, not bad, simple to get rid of.

1.

Follow the instructions on this page to delete your java cache.

http://www.java.com/en/download/help/plugin_cache.xml

2.

We need to turn system restore off and then turn it back on again.

Right click on "my computer" click on properties, click on the system restore tab, check the box to turn off system restore, click apply, click ok. Then go back into it and uncheck the box to turn system restore back on. This will delete those and all restore points you have on your system.

3.

Manually delete this file. You will need to change the options to show hidden files and folders though.

C:\Documents and Settings\MSI\Local Settings\temp\Av-test.txt

4.

If you haven't done so already please download and run ccleaner.

http://download.cnet.com/ccleaner/

Download, install and open program, don't change any options, click on run cleaner then can you try running combofix again for me?
 

kona

Member
I've gotten down to manually delete this file:

and even though I go to MSI and change and apply and okay I can't see the "Locl Settings" file.

How do I get to
C:\documents and settings\msi\local settings\temp\av-test.txt ????
 

kona

Member
okay - I did a search in C drive and found the file and deleted it.....is that the right thing to do here?
 

kona

Member
When I ran c cleaner I didn't want all the "extra" add-ons and new software alerts they wanted to give to me so I unchecked all their adds and just ran the c cleaner - is that right?
It found a lot of files that were deleted but I could not copy the list (I tried to hilight it).

I have to go to work again so I will try to run combofix at 6 tonight PST. I have to work overtime tonight 730- midnight or later so that sucks for getting this done. I'll do what I can tonight.....thanks!
Gary
 

kona

Member
Sorry - I guess the cleaner may not have deleted what it found - is that right? I'm at work right now so I don't have access to my computer.
I meant I was trying to copy the list that the ccleaner posted and I couldn't access the list - I tried to click onto it and nothing happend. I was trying to copy it to show you - that's all.
Ya - I hope I will be able to run Combofix tonight.
I will remember to go in and disable the sandbox feature in Avast and I will disable Avast - to enable again upon reboot - before I run Combofix.

Should I delete the Combofix on my desktop now - the one I downloaded yesterday - and go here and download it again....tonight??

You can't post what ccleaner deletes. Hopefully combofix will run.
 

johnb35

Administrator
Staff member
Providing you clicked on run cleaner and not Ln analyze then it deleted whatever it found automatically. It may help to delete the existing combofix and download a new copy.
 

kona

Member
It took me forever to get back onto the internet tonight.....I keep getting two internet connections whenever I click onto IE. And, my Favorites were all reorganized....? I couldn't find this website - it took me a while to hunt it down - I kept getting other ComputerForums. Ho well - I'm here now - ready to get started .....again
 

kona

Member
John - I deleted the copy of combofix that was on my desktop and I downloaded a new one. I disabled malware and avast - sandbox within avast was disabled as well. I ran it - and got the same problem. It gets to the completion of Stage 2 and then my pc seems to hangup.........no activity light blinking.....nothing. I went downstairs and played my drums for 1/2 hr and came back....still just nothing. So I xed out of the program. There is no way I could get an internet connection....even after I engaged avast and malware. I rebooted and then I got back on here.
What's next? This is so frustrating.............don't get me wrong - I really appreciate the help and hope this pc will get well with your help. I'm working double shift today - go back to work in an hour or so...............the poachers never rest at this time of the year.
 

kona

Member
It seemed to work in safe mode - all 50 + stages & log

ComboFix 11-11-09.02 - MSI 11/09/2011 18:22:38.6.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2646 [GMT -8:00]
Running from: c:\documents and settings\MSI\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-10 to 2011-11-10 )))))))))))))))))))))))))))))))
.
.
2011-11-09 05:08 . 2011-11-09 05:08 -------- d-----w- c:\program files\ESET
2011-11-09 01:42 . 2011-11-09 01:51 -------- d-----w- C:\## aswSnx private storage
2011-11-08 05:27 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-08 05:27 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-08 05:27 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-08 05:27 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-08 05:27 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-08 05:27 . 2011-09-06 21:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-08 05:27 . 2011-09-06 21:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-08 05:27 . 2011-09-06 21:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-08 05:27 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-08 05:27 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-08 05:26 . 2011-11-08 05:26 -------- d-----w- c:\program files\AVAST Software
2011-11-08 05:26 . 2011-11-08 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-11-08 03:41 . 2011-11-08 03:41 388096 ----a-w- c:\documents and settings\MSI\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-07 02:54 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-07 02:54 . 2011-11-07 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-07 02:14 . 2011-11-07 02:14 -------- d-----w- c:\documents and settings\MSI\Application Data\BabylonToolbar
2011-11-07 02:13 . 2011-11-07 02:13 -------- d-----w- c:\program files\Babylon
2011-11-07 02:12 . 2011-11-07 02:47 -------- d-----w- c:\documents and settings\MSI\Application Data\Systweak
2011-11-07 02:12 . 2011-09-30 23:37 17280 ----a-w- c:\windows\system32\roboot.exe
2011-11-06 20:05 . 2011-11-06 20:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-11-06 20:05 . 2011-11-06 20:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-11-06 18:48 . 2011-11-08 02:15 -------- d-sh--w- c:\documents and settings\MSI\Local Settings\Application Data\12eba47c
2011-10-13 05:58 . 2011-10-13 05:58 -------- d-----w- c:\program files\iPod
2011-10-13 05:58 . 2011-10-13 05:59 -------- d-----w- c:\program files\iTunes
2011-10-13 05:55 . 2011-10-13 05:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-08 01:13 . 2004-08-04 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-10-13 14:06 . 2011-05-17 00:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2006-09-16 21:05 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 12:06 . 2010-05-08 17:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 09:37 . 2007-06-18 18:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 18:41 . 2007-10-09 21:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-06-02 15:15 . 2010-06-02 15:15 436 ----a-w- c:\program files\060220108152078.bat
2010-06-02 15:09 . 2010-06-02 15:09 445 ----a-w- c:\program files\060220108094678.bat
2004-10-01 22:00 . 2006-09-16 22:42 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-12-26 21:06 . 2007-12-26 21:06 133120 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\MSI\Local Settings\Application Data\12eba47c ----
.
2011-11-06 18:48 . 2011-11-06 18:48 2048 --sha-w- c:\documents and settings\MSI\Local Settings\Application Data\12eba47c\@
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-08_02.20.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 08:02 . 2009-07-12 08:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2008-08-15 02:13 . 2011-10-10 14:22 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2008-08-15 02:13 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2011-11-08 05:27 . 2011-11-08 05:27 219648 c:\windows\Installer\ac13cd.msi
+ 2011-11-08 03:41 . 2011-11-08 03:41 1094656 c:\windows\Installer\4b9948.msi
+ 2006-09-16 21:59 . 2011-11-10 00:59 50295240 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-08-07 135168]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"WD Button Manager"="WDBtnMgr.exe" [2007-12-26 364544]
"nwiz"="nwiz.exe" [2006-08-08 1519616]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2007-12-26 98304]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^MSI^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\MSI\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog303]
2005-10-25 20:56 61440 ----a-w- c:\windows\VM303_STI.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-08-20 21:57 221184 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 18:24 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-07-25 14:14 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-08-20 21:15 483328 ----a-r- c:\windows\system32\hphmon05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2003-08-20 21:23 49152 ----a-r- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-10 01:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2002-11-08 10:50 19968 ------w- c:\windows\LOGI_MWX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2000-08-08 20:00 311350 ----a-w- c:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-08-08 20:00 28739 ----a-w- c:\program files\Microsoft Works\WkDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-11 13:43 7630848 ----a-r- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-08-11 13:43 86016 ----a-r- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-08-08 21:54 1519616 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 20:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-06 01:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-11-15 00:21 16270848 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 01:04 2879488 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 17:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2006-10-14 01:04 707376 ----a-w- c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
2006-07-08 00:15 348160 ----a-w- c:\program files\WinFast\WFTVFM\WFWIZ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-08-08 20:00 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
2003-04-07 10:16 631364 ----a-w- c:\program files\Logitech\iTouch\iTouch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"NVSvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"FSMA"=2 (0x2)
"FSDFWD"=3 (0x3)
"FSAUA"=3 (0x3)
"F-Secure Gatekeeper Handler Starter"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"iPod Service"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
.
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [7/14/2009 1:06 PM 101120]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/25/2008 1:09 PM 717296]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/7/2011 9:27 PM 442200]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/7/2011 9:27 PM 320856]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/7/2011 9:27 PM 20568]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/6/2011 6:55 PM 366152]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 5:44 PM 183560]
S3 cpuz134;cpuz134;\??\c:\docume~1\MSI\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\MSI\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 HwIOctl;HwIOctl; [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/6/2011 6:54 PM 22216]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [5/6/2009 5:36 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [5/6/2009 5:36 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [5/6/2009 5:36 PM 23680]
S3 SunkFilt6;Alcor Micro Corp - 6360; [x]
S3 SunkFilt62;Alcor Micro Corp - 6362;c:\windows\system32\drivers\sunkfilt62.sys [7/23/2004 1:55 PM 46536]
S3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [11/9/2007 11:24 PM 9446]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - CXTUNE
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2011-10-19 c:\windows\Tasks\HP DArC Task 2003-08-20 09:23ewlett-Packard-6002003-08-20 21:57Y35J1235G7I.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 21:57]
.
2011-11-09 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2008-07-19 21:23]
.
2011-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1482476501-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1482476501-839522115-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1482476501-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-10-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1482476501-839522115-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.0.1
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-09 18:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,80,80,66,53,57,d0,44,95,13,fe,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,80,80,66,53,57,d0,44,95,13,fe,\
.
[HKEY_USERS\S-1-5-21-1935655697-1482476501-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1968)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-11-09 18:31:21
ComboFix-quarantined-files.txt 2011-11-10 02:31
ComboFix2.txt 2011-11-08 02:29
ComboFix3.txt 2007-12-13 09:49
.
Pre-Run: 292,400,230,400 bytes free
Post-Run: 292,389,015,552 bytes free
.
- - End Of File - - 10CDDCDC9B99E9ABA821C54F4BC1B56F
 
Top