Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91681 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] internet explorer take over win explorer shutdown


  • This topic is locked This topic is locked
6 replies to this topic

#1 jesse012379

jesse012379

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 16 October 2009 - 03:29 PM

Once logged on to net w/ firefox or iexplorer, iexplorer pops-up on various sites. Often times windows explorer shuts down and i have to restart process in task manager eventually closes. DDS (Ver_09-06-26.01) - NTFSx86 Run by Jesse Greer at 0:02:43.85 on Wed 10/14/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.148 [GMT -7:00] AV: avast! antivirus 4.8.1356 [VPS 091013-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\System32\svchost.exe -k Cognizance C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\system32\IFXTCS.exe C:\WINDOWS\system32\IfxPsdSv.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Novadigm\ManagementAgent\nvdkit.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Documents and Settings\Jesse Greer\My Documents\Downloads\HijackThis.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Jesse Greer\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uSearchAssistant = hxxp://www.alltheinternet.com/search.htm uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com mSearchAssistant = hxxp://www.alltheinternet.com/search.htm uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll uURLSearchHooks: Advanced Searchbar: {57f02779-3d88-4958-8ad3-83c12d86adc7} - c:\program files\advancedsearchbar\advancedsearchbar.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll TB: Advanced Searchbar: {57f02779-3d88-4958-8ad3-83c12d86adc7} - c:\program files\advancedsearchbar\advancedsearchbar.dll TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll TB: FastestP2P Toolbar: {0d2e5a05-8cd6-401f-9a3e-e2937cee3942} - c:\program files\fastestp2p toolbar\toolbar.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {57F02779-3D88-4958-8AD3-83C12D86ADC7} - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - c:\program files\advancedsearchbar\advancedsearchbar.dll DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab Notify: e42025d0684 - c:\windows\system32\cryptdll32.dll Notify: igfxcui - igfxdev.dll Notify: __c00D81C2 - c:\windows\system32\__c00D81C2.dat AppInit_DLLs: c:\windows\system32\cryptdll32.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll LSA: Notification Packages = scecli ASWLNPkg ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\jesseg~1\applic~1\mozilla\firefox\profiles\q1tur51k.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www2.fastp2psearch.com/search.php?q= FF - prefs.js: browser.search.selectedEngine - FastP2P Search FF - prefs.js: browser.startup.homepage - hxxp://www.fastp2psearch.com/ FF - prefs.js: keyword.URL - hxxp://www2.fastp2psearch.com/search.php?q= FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\microsoft\office live\npOLW.dll FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: browser.startup.homepage - hxxp://www.fastp2psearch.com/ FF - user.js: browser.search.selectedEngine - FastP2P Search FF - user.js: keyword.URL - hxxp://www2.fastp2psearch.com/search.php?q= FF - user.js: keyword.enabled - true FF - user.js: browser.search.defaultenginename - FastP2P Search FF - user.js: browser.search.defaulturl - hxxp://www2.fastp2psearch.com/search.php?q= c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-17 114768] R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-7-24 38816] R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2004-8-12 14336] R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-12 14336] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-17 20560] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-17 138680] R2 rma;Radia Management Agent;c:\novadigm\managementagent\nvdkit.exe [2005-9-19 1968446] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2008-12-20 88192] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-10-21 41216] S2 gupdate1c9b807cb0e6590;Google Update Service (gupdate1c9b807cb0e6590);c:\program files\google\update\GoogleUpdate.exe [2009-4-7 133104] S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-17 254040] S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-17 352920] S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2009-10-8 68954] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320] S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680] S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2009-9-28 120232] =============== Created Last 30 ================ 2009-10-12 18:48 183 a------- C:\xcrashdump.dat 2009-10-10 21:26 25,600 a------- c:\windows\system32\__c00D81C2.dat 2009-10-10 21:26 615 a------- c:\windows\system32\hJ6FUN7YlEp8B.vbs 2009-10-10 20:33 <DIR> --dsh--- c:\windows\system32\LocalService 2009-10-10 17:47 0 a------- c:\windows\system32\37.tmp 2009-10-09 03:02 <DIR> --d----- c:\program files\common files\Scanner 2009-10-09 03:02 <DIR> --d----- c:\program files\CA Yahoo! Anti-Spy 2009-10-09 00:57 0 a------- c:\windows\system32\24.tmp 2009-10-09 00:57 0 a------- c:\windows\system32\23.tmp 2009-10-08 02:30 135,168 a------- c:\windows\system32\jl_jdct.drv 2009-10-08 02:30 68,954 a------- c:\windows\system32\drivers\jl2005c.sys 2009-10-08 02:30 15,360 a------- c:\windows\system32\jl2005c.ax 2009-10-08 02:30 <DIR> --d----- c:\program files\JL2005C 2009-10-08 02:14 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax 2009-10-08 02:14 20,992 a------- c:\windows\system32\dshowext.ax 2009-10-07 23:40 163,840 a------- c:\windows\system32\PhotoImpression Screen Saver.scr 2009-10-07 23:07 99,328 ac------ c:\windows\system32\dllcache\srusd.dll 2009-10-07 23:07 99,328 a------- c:\windows\system32\srusd.dll 2009-10-07 23:07 6,784 ac------ c:\windows\system32\dllcache\serscan.sys 2009-10-07 23:07 6,784 a------- c:\windows\system32\drivers\serscan.sys 2009-10-07 23:07 71,680 ac------ c:\windows\system32\dllcache\fnfilter.dll 2009-10-07 23:07 71,680 a------- c:\windows\system32\fnfilter.dll 2009-10-07 23:02 <DIR> --d----- c:\docume~1\jesseg~1\applic~1\Windows Search 2009-10-07 22:16 212,480 a------- c:\windows\PCDLIB32.DLL 2009-10-07 03:29 18,692 a------- c:\windows\GnuHashes.ini 2009-10-07 03:27 615 a------- c:\windows\system32\k8pz9x4.vbs 2009-10-07 03:15 615 a------- c:\windows\system32\zztp4Zs.vbs 2009-10-07 03:15 1,881 a--sh--- c:\windows\system32\GroupPolicy000.dat 2009-10-07 03:14 523,264 a--sh--- c:\windows\system32\17B.tmp 2009-10-07 03:14 615 a------- c:\windows\system32\B6bo3du88ZuEs.vbs 2009-10-07 03:14 615 a------- c:\windows\system32\0TqpsKZ3Y6sRw.vbs 2009-10-07 03:14 119,296 a------- c:\windows\system32\cryptdll32.dll 2009-10-07 03:14 615 a------- c:\windows\system32\fzjSt3AMyPZ3B.vbs 2009-10-04 22:23 <DIR> --d----- c:\program files\common files\AOL 2009-10-04 22:21 459 a---h--- C:\IPH.PH 2009-10-03 13:55 <DIR> --d----- c:\docume~1\jesseg~1\applic~1\Office Genuine Advantage 2009-10-03 13:21 <DIR> --dsh--- c:\documents and settings\jesse greer\IECompatCache 2009-09-28 22:52 26,988 a---h--- c:\windows\system32\mlfcache.dat 2009-09-28 18:03 <DIR> --d----- c:\program files\iPod 2009-09-28 18:03 <DIR> --d----- c:\program files\iTunes 2009-09-28 18:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-27 12:42 73,728 a------- c:\windows\system32\javacpl.cpl 2009-09-23 22:34 351,616 ac------ c:\windows\system32\dllcache\ovcodek2.sys ==================== Find3M ==================== 2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll 2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll 2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll 2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe 2009-07-31 15:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll 2008-12-19 01:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121920081220\index.dat ============= FINISH: 0:07:00.40 =============== ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/14 00:10 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xA95EF000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xA9A04000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA7BF5000 Size: 49152 File Visible: No Signed: - Status: - SSDT ------------------- #: 025 Function Name: NtClose Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa96486b8 #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa9648574 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa9648a52 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa964814c #: 119 Function Name: NtOpenKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa964864e #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa964808c #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa96480f0 #: 177 Function Name: NtQueryValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa964876e #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa964872e #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa96488ae ==EOF==

Attached Files


Edited by jesse012379, 17 October 2009 - 01:50 AM.

    Advertisements

Register to Remove


#2 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 18 October 2009 - 12:10 PM

Hi jesse012379, welcome to the forum.

To make cleaning this machine easier
  • Please do not uninstall/install any programs unless asked to
    It is more difficult when files/programs are appearing in/disappearing from the logs.
  • Please do not run any scans other than those requested
  • Please follow all instructions in the order posted
  • All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
  • Do not attach any logs/reports, etc.. unless specifically requested to do so.
  • If you have problems with or do not understand the instructions, Please ask before continuing.
  • Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#3 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 22 October 2009 - 07:09 AM

Hi, Do you still need help with this? Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#4 jesse012379

jesse012379

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 23 October 2009 - 02:42 AM

ComboFix 09-10-21.02 - Jesse Greer 10/23/2009 1:25.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.200 [GMT -7:00]
Running from: c:\documents and settings\Jesse Greer\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091022-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jesse Greer\Application Data\0200000012b19086684C.manifest
c:\documents and settings\Jesse Greer\Application Data\0200000012b19086684O.manifest
c:\documents and settings\Jesse Greer\Application Data\0200000012b19086684P.manifest
c:\documents and settings\Jesse Greer\Application Data\0200000012b19086684S.manifest
c:\documents and settings\Shawna\Application Data\0200000012b19086684C.manifest
c:\documents and settings\Shawna\Application Data\0200000012b19086684O.manifest
c:\documents and settings\Shawna\Application Data\0200000012b19086684P.manifest
c:\documents and settings\Shawna\Application Data\0200000012b19086684S.manifest
c:\windows\AegisP.inf
c:\windows\system32\0TqpsKZ3Y6sRw.vbs
c:\windows\system32\B6bo3du88ZuEs.vbs
c:\windows\system32\fzjSt3AMyPZ3B.vbs
c:\windows\system32\hJ6FUN7YlEp8B.vbs
c:\windows\system32\hYQfLUuzhYFrkEs.vbs
c:\windows\system32\k8pz9x4.vbs
c:\windows\system32\zztp4Zs.vbs
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-19 19:40 . 2009-10-19 19:40 -------- d-----w- c:\documents and settings\Shawna\Application Data\Malwarebytes
2009-10-17 10:13 . 2009-10-17 10:13 -------- d-----w- c:\documents and settings\Jesse Greer\Application Data\Malwarebytes
2009-10-17 10:12 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-17 10:12 . 2009-10-17 10:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-17 10:12 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-17 10:12 . 2009-10-23 04:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 07:08 . 2009-10-14 07:08 0 ----a-w- c:\documents and settings\Jesse Greer\settings.dat
2009-10-14 06:56 . 2009-10-15 09:15 -------- d-----w- c:\program files\ERUNT
2009-10-10 18:43 . 2009-10-10 18:43 -------- d-----w- c:\documents and settings\Shawna\Application Data\Windows Search
2009-10-09 10:02 . 2009-10-09 10:02 -------- d-----w- c:\program files\Common Files\Scanner
2009-10-09 10:02 . 2009-10-09 10:05 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2009-10-08 09:30 . 2005-12-16 00:34 135168 ----a-w- c:\windows\system32\jl_jdct.drv
2009-10-08 09:30 . 2007-11-17 22:46 68954 ----a-w- c:\windows\system32\drivers\jl2005c.sys
2009-10-08 09:30 . 2009-10-08 09:30 -------- d-----w- c:\program files\JL2005C
2009-10-08 06:40 . 2001-10-16 17:23 163840 ----a-w- c:\windows\system32\PhotoImpression Screen Saver.scr
2009-10-08 06:38 . 2009-10-08 06:38 -------- d-----w- c:\program files\ArcSoft
2009-10-08 06:07 . 2001-08-18 05:36 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2009-10-08 06:07 . 2001-08-18 05:36 99328 ----a-w- c:\windows\system32\srusd.dll
2009-10-08 06:07 . 2001-08-17 20:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2009-10-08 06:07 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2009-10-08 06:07 . 2001-08-18 05:36 71680 -c--a-w- c:\windows\system32\dllcache\fnfilter.dll
2009-10-08 06:07 . 2001-08-18 05:36 71680 ----a-w- c:\windows\system32\fnfilter.dll
2009-10-08 06:02 . 2009-10-08 06:02 -------- d-----w- c:\documents and settings\Jesse Greer\Application Data\Windows Search
2009-10-08 05:56 . 2009-10-08 05:56 -------- d-----w- c:\documents and settings\Jesse Greer\Application Data\ArcSoft
2009-10-08 05:16 . 1995-07-31 20:44 212480 ----a-w- c:\windows\PCDLIB32.DLL
2009-10-05 05:24 . 2009-10-05 05:24 -------- d-----w- c:\documents and settings\Shawna\Local Settings\Application Data\AOL
2009-10-05 05:23 . 2009-10-06 20:47 -------- d-----w- c:\program files\Common Files\AOL
2009-10-03 20:55 . 2009-10-03 20:55 -------- d-----w- c:\documents and settings\Jesse Greer\Application Data\Office Genuine Advantage
2009-10-03 20:21 . 2009-10-03 20:21 -------- d-sh--w- c:\documents and settings\Jesse Greer\IECompatCache
2009-10-02 10:58 . 2009-10-02 10:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-02 10:58 . 2009-10-02 10:58 -------- d-----w- c:\documents and settings\Shawna\Application Data\Office Genuine Advantage
2009-09-29 05:52 . 2009-09-29 05:52 26988 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-29 01:03 . 2009-09-29 01:03 -------- d-----w- c:\program files\iPod
2009-09-29 01:03 . 2009-09-29 01:04 -------- d-----w- c:\program files\iTunes
2009-09-29 01:03 . 2009-09-29 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-29 00:38 . 2009-09-29 00:38 -------- d-----w- c:\documents and settings\Shawna\Local Settings\Application Data\Apple
2009-09-25 12:00 . 2009-09-25 12:00 -------- d-----w- c:\documents and settings\Shawna\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-09-24 05:34 . 2001-08-18 05:36 39424 -c--a-w- c:\windows\system32\dllcache\ovcoms.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 04:50 . 2009-01-11 07:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-17 09:52 . 2008-12-22 05:28 -------- d-----w- c:\documents and settings\Jesse Greer\Application Data\StumbleUpon
2009-10-17 02:35 . 2009-10-11 10:59 129 ----a-w- c:\documents and settings\Jesse Greer\udpcrawl.tmp
2009-10-15 09:15 . 2009-08-11 02:56 -------- d-----w- c:\program files\WebEx
2009-10-14 01:21 . 2009-02-05 07:35 -------- d-----w- c:\program files\AdvancedSearchbar
2009-10-11 00:47 . 2009-10-11 00:47 0 ----a-w- c:\windows\system32\37.tmp
2009-10-09 07:57 . 2009-10-09 07:57 0 ----a-w- c:\windows\system32\24.tmp
2009-10-09 07:57 . 2009-10-09 07:57 0 ----a-w- c:\windows\system32\23.tmp
2009-10-08 06:38 . 2008-12-18 18:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-07 10:33 . 2008-12-22 05:27 -------- d-----w- c:\program files\StumbleUpon
2009-10-02 11:24 . 2008-12-18 07:59 -------- d-----w- c:\program files\Hewlett-Packard
2009-09-29 05:51 . 2009-08-11 08:51 -------- d-----w- c:\documents and settings\Shawna\Application Data\Apple Computer
2009-09-29 01:03 . 2009-01-21 17:47 -------- d-----w- c:\program files\Common Files\Apple
2009-09-29 01:00 . 2009-01-21 17:48 -------- d-----w- c:\program files\QuickTime
2009-09-27 19:42 . 2009-01-06 07:40 -------- d-----w- c:\program files\Java
2009-09-25 12:05 . 2009-04-01 04:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-15 10:59 . 2009-01-17 22:07 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-15 10:56 . 2009-01-17 22:07 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-15 10:56 . 2009-01-17 22:07 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-15 10:55 . 2009-01-17 22:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-15 10:55 . 2009-01-17 22:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-15 10:54 . 2009-01-17 22:07 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-15 10:54 . 2009-01-17 22:07 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-15 10:53 . 2009-01-17 22:07 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-15 10:53 . 2009-01-17 22:07 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-12 07:47 . 2009-08-11 05:29 27856 ----a-w- c:\documents and settings\Shawna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2004-08-12 13:23 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 23:02 . 2009-03-11 08:03 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-08 10:26 . 2009-06-07 15:11 -------- d-----w- c:\documents and settings\Jesse Greer\Application Data\FastestP2P Toolbar
2009-09-08 06:50 . 2009-06-07 15:10 -------- d-----w- c:\program files\FastestP2P Toolbar
2009-09-07 07:51 . 2008-12-19 18:08 27856 ----a-w- c:\documents and settings\Jesse Greer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-04 21:03 . 2004-08-12 13:22 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-12 13:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-12 13:30 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 22:09 . 2009-08-20 22:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-11 02:56 . 2009-08-11 02:56 8892928 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2009-08-07 02:24 . 2008-12-18 03:52 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2008-12-18 03:52 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2008-12-18 03:52 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2008-10-16 22:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2008-12-18 03:52 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-08-12 13:17 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2008-12-18 03:52 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2009-03-11 16:29 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2008-12-18 03:52 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-07 02:23 . 2008-10-16 21:07 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01 . 2004-08-12 13:23 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-12 13:25 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 22:07 . 2009-08-03 22:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 22:07 . 2009-08-03 22:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 22:07 . 2009-08-03 22:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-31 22:23 . 2009-01-06 07:41 411368 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0d2e5a05-8cd6-401f-9a3e-e2937cee3942}"= "c:\program files\FastestP2P Toolbar\toolbar.dll" [2009-07-17 2100224]

[HKEY_CLASSES_ROOT\clsid\{0d2e5a05-8cd6-401f-9a3e-e2937cee3942}]
[HKEY_CLASSES_ROOT\FastestP2PToolbar.IEBarLogic]
[HKEY_CLASSES_ROOT\TypeLib\{8435a6d2-21d3-4c62-8e7d-afae6fec26e8}]
[HKEY_CLASSES_ROOT\FastestP2PToolbar.IEBarLogic]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/17/2009 3:07 PM 114768]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [7/24/2007 9:21 AM 38816]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/12/2004 6:30 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/12/2004 6:30 AM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/17/2009 3:07 PM 20560]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [12/20/2008 4:32 AM 88192]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/21/2005 12:19 PM 41216]
S2 gupdate1c9b807cb0e6590;Google Update Service (gupdate1c9b807cb0e6590);c:\program files\Google\Update\GoogleUpdate.exe [4/7/2009 10:06 PM 133104]
S2 rma;Radia Management Agent;c:\novadigm\ManagementAgent\nvdkit.exe [9/19/2005 10:02 AM 1968446]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 8:18 PM 23680]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [9/28/2009 2:43 PM 120232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Contents of the 'Scheduled Tasks' folder

2009-10-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-10-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-11 03:31]

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-08 05:06]

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-08 05:06]

2009-10-23 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
FF - ProfilePath - c:\documents and settings\Jesse Greer\Application Data\Mozilla\Firefox\Profiles\q1tur51k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www2.fastp2psearch.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - FastP2P Search
FF - prefs.js: browser.startup.homepage - hxxp://www.fastp2psearch.com/
FF - prefs.js: keyword.URL - hxxp://www2.fastp2psearch.com/search.php?q=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.startup.homepage - hxxp://www.fastp2psearch.com/
FF - user.js: browser.search.selectedEngine - FastP2P Search
FF - user.js: keyword.URL - hxxp://www2.fastp2psearch.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - FastP2P Search
FF - user.js: browser.search.defaulturl - hxxp://www2.fastp2psearch.com/search.php?q=
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-(Default) - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 01:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rma]
"ImagePath"="C:/Novadigm/ManagementAgent/nvdkit.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rma]
"ImagePath"="C:/Novadigm/ManagementAgent/nvdkit.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'lsass.exe'(1012)
c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
.
Completion time: 2009-10-23 1:30
ComboFix-quarantined-files.txt 2009-10-23 08:30

Pre-Run: 140,848,390,144 bytes free
Post-Run: 140,860,481,536 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - EC45BF6B3F0D510EEAE9C519C8D5C823

#5 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 23 October 2009 - 09:52 PM

Hi jesse012379,

Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

File::
c:\windows\system32\37.tmp
c:\windows\system32\24.tmp
c:\windows\system32\23.tmp
c:\documents and settings\Jesse Greer\settings.dat

In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Posted Image




You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post back with
  • combofix log
  • MBAM log
How is the computer?

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#6 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 26 October 2009 - 12:53 PM

Hi jesse012379, You still with us? Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#7 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 28 October 2009 - 04:09 AM

Due to inactivity this topic will be closed. If you need help please start a new thread.

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users