Thread: Virus Suspected - Computer slow and programs closing unexpectedly
View Single Post
Old 11-17-2008, 08:30 AM   #8 (permalink)
scoricha
Registered User
 
Join Date: Nov 2008
Posts: 34
OS: XP


Re: Virus Suspected - Computer slow and programs closing unexpectedly
Thank you for your response. I ran the ComboFix (see the log below). My firewall kept trying to block it from running, so I had to disable the firewall while I ran it. The computer seems to be running okay when I am on the internet (IE), but many programs and still closing ontheir own (Yahoo! Messenger, Gmail notifier, Outlook, etc.). Thanks again for your help!

Here's the Combo Fix log:

ComboFix 08-11-16.05 - HP_Administrator 2008-11-17 9:24:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1512 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\windows\IE4 Error Log.txt
c:\windows\system32\__c002224A.dat
c:\windows\system32\__c008D1F2.dat
C:\xcrashdump.dat
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-17 to 2008-11-17 )))))))))))))))))))))))))))))))
.

2008-11-14 15:23 . 2008-11-14 15:23 <DIR> d---s---- c:\documents and settings\Administrator\UserData
2008-11-14 08:41 . 2008-11-14 08:41 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Comodo
2008-11-14 01:11 . 2008-11-14 01:11 <DIR> d-------- c:\program files\COMODO
2008-11-14 01:11 . 2008-11-14 08:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo
2008-11-14 01:11 . 2008-11-14 01:11 143,096 --a------ c:\windows\system32\guard32.dll
2008-11-14 01:11 . 2008-11-14 01:11 99,856 --a------ c:\windows\system32\drivers\cmdguard.sys
2008-11-14 01:11 . 2008-11-14 01:11 31,504 --a------ c:\windows\system32\drivers\cmdhlp.sys
2008-11-13 23:21 . 2008-11-13 23:21 250 --a------ c:\windows\gmer.ini
2008-11-11 19:58 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 19:57 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-10-29 14:16 . 2008-10-29 16:55 <DIR> d-------- c:\windows\BDOSCAN8
2008-10-29 13:42 . 2008-11-14 09:48 <DIR> d-------- c:\windows\system32\NtmsData
2008-10-29 09:01 . 2008-10-29 20:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-10-24 00:32 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-18 11:28 . 2008-10-28 07:50 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\skypePM
2008-10-18 11:28 . 2008-10-18 11:28 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-10-18 11:24 . 2008-10-28 13:36 <DIR> d-------- c:\program files\Skype
2008-10-18 11:24 . 2008-10-28 13:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 20:54 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-08 17:02 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2008-11-06 17:08 --------- d-----w c:\program files\HP
2008-11-06 17:07 --------- d-----w c:\program files\Hewlett-Packard
2008-10-29 14:42 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Yahoo!
2008-10-29 03:45 --------- d-----w c:\program files\GemMaster
2008-10-24 11:21 455,296 ------w c:\windows\system32\drivers\mrxsmb.sys
2008-10-15 16:47 --------- d-----w c:\documents and settings\All Users\Application Data\Digital Interactive Systems Corporation
2008-10-15 16:40 --------- d-----w c:\program files\The Learning Company
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-20 05:30 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-08-20 05:30 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-08-20 05:30 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-20 05:30 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2007-01-19 01:21 150 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 4670968]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-13 68856]
"HbDetect.exe"="c:\program files\Playskool\MADE FOR ME Software\HbDetect.exe" [2006-10-26 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-24 180269]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"CaAvTray"="c:\program files\Yahoo!\Antivirus\CAVTray.exe" [2007-09-11 230512]
"CAVRID"="c:\program files\Yahoo!\Antivirus\CAVRID.exe" [2007-09-11 185456]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2006-07-21 407032]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-10-02 67488]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2008-11-14 1797880]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2006-05-09 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Outlook.lnk - c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe [2007-09-13 104960]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-08-24 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-11-14 99856]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-11-14 31504]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 124832]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HPBootOp - c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
HKLM-Run-PCDrProfiler - (no file)
Notify-__c002224A - c:\windows\system32\__c002224A.dat
Notify-__c00280F1 - c:\windows\system32\__c00280F1.dat
Notify-__c0069664 - c:\windows\system32\__c0069664.dat
Notify-__c008D1F2 - c:\windows\system32\__c008D1F2.dat
Notify-__c009B5E0 - c:\windows\system32\__c009B5E0.dat
Notify-__c00CC610 - c:\windows\system32\__c00CC610.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://cm.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
LSP: c:\windows\system32\VetRedir.dll

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab

c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\ImageUploader5.ocx
O16 -: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3}
hxxp://www.winkflash.com/photo/loaders/ImageUploader5.cab
c:\windows\Downloaded Program Files\ImageUploader5.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 09:34:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Yahoo!\Antivirus\iSafe.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\CTSVCCDA.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Yahoo!\Antivirus\VetMsg.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-17 9:41:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-17 14:41:07

Pre-Run: 204,910,080,000 bytes free
Post-Run: 207,120,961,536 bytes free

183 --- E O F --- 2008-11-12 01:03:20
scoricha is offline