i cant get rid of StrongestOptimizer

[Quanta123]

Hi. Ok. Heres the log:


StartDreck (build 2.1.7 public stable) - 2007-05-12 @ 18:02:41 (GMT +01:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Jorge Martins at LINUX

»Registry
»Run Keys
»Current User
»Run
*CTFMON.EXE=C:\WINDOWS\system32\ctfmon.exe
*MSMSGS="C:\Programas\Messenger\msmsgs.exe" /background
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
»Local Machine
»Run
*ESB=C:\WINDOWS\System32\ESB.exe
*4mtcsb=C:\WINDOWS\System32\4mtcsb.EXE
*PRONoMgr.exe=C:\Programas\Intel\NCS\PROSet\PRONoMgr.exe
*IgfxTray=C:\WINDOWS\System32\igfxtray.exe
*HotKeysCmds=C:\WINDOWS\System32\hkcmd.exe
*AudioHQ=C:\Programas\Creative\SBLive\AudioHQ\AHQTB.EXE
*Creative Launcher=C:\Programas\Creative\Launcher\CTLauncher.exe
*NeroCheck=C:\WINDOWS\System32\\NeroCheck.exe
*InCD=C:\Programas\Ahead\InCD\InCD.exe
*SunJavaUpdateSched=C:\Programas\Java\jre1.5.0\bin\jusched.exe
*AVG7_CC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
*QuickTime Task="C:\Programas\QuickTime\qttask.exe" -atboottime
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+740=\SystemRoot\System32\smss.exe
+816=\??\C:\WINDOWS\system32\csrss.exe
+840=\??\C:\WINDOWS\system32\winlogon.exe
+884=C:\WINDOWS\system32\services.exe
+896=C:\WINDOWS\system32\lsass.exe
+1064=C:\WINDOWS\system32\svchost.exe
+1128=C:\WINDOWS\system32\svchost.exe
+1268=C:\WINDOWS\System32\svchost.exe
+1320=C:\WINDOWS\System32\S24EvMon.exe
+1368=C:\WINDOWS\System32\svchost.exe
+1516=C:\WINDOWS\System32\svchost.exe
+1884=C:\WINDOWS\system32\spoolsv.exe
+200=C:\WINDOWS\system32\ZCfgSvc.exe
+356=C:\WINDOWS\Explorer.EXE
+696=C:\Documents and Settings\Jorge Martins\Ambiente de trabalho\Anti-coisas\AVG Anti-Spyware 7.5\guard.exe
+708=C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
+720=C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
+800=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
+1032=C:\Programas\ewido\security suite\ewidoctrl.exe
+1092=C:\Programas\Ahead\InCD\InCDsrv.exe
+1196=C:\WINDOWS\System32\RegSrvc.exe
+1304=C:\WINDOWS\System32\RoamMgr.exe
+1552=C:\WINDOWS\system32\slserv.exe
+1596=C:\WINDOWS\System32\svchost.exe
+144=C:\WINDOWS\system32\wdfmgr.exe
+1084=C:\WINDOWS\System32\4mtcsb.EXE
+1296=C:\WINDOWS\System32\igfxtray.exe
+1448=C:\WINDOWS\System32\hkcmd.exe
+1540=C:\Programas\Creative\SBLive\AudioHQ\AHQTB.EXE
+1804=C:\Programas\Ahead\InCD\InCD.exe
+1956=C:\Programas\Java\jre1.5.0\bin\jusched.exe
+2132=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
+2164=C:\Programas\QuickTime\qttask.exe
+2296=C:\WINDOWS\system32\ctfmon.exe
+2356=C:\Programas\Messenger\msmsgs.exe
+2364=C:\WINDOWS\System32\1XConfig.exe
+2704=C:\Programas\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
+2956=C:\WINDOWS\System32\alg.exe
+180=C:\WINDOWS\system32\wuauclt.exe
+268=C:\Programas\Mozilla Firefox\firefox.exe
+3596=C:\Documents and Settings\Jorge Martins\Ambiente de trabalho\StartDreck\StartDreck.exe
»Application specific

[Glaswegian]

Download Dr.Web CureIt & save it on your desktop.

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

NOTE: The scan will require at least an hour.

[Quanta123]

Hi. Heres the log. incurável = incurable, movido = moved.

base junk.exe C:\Documents and Settings\All Users\Application Data\third mags grid inside Trojan.Swizzor Incurável.Movido.
Face Find.exe C:\Documents and Settings\All Users\Application Data\third mags grid inside Trojan.Swizzor Incurável.Movido.
jugs bone.exe C:\Documents and Settings\All Users\Application Data\third mags grid inside Trojan.Swizzor Incurável.Movido.
Junk ping.exe C:\Documents and Settings\All Users\Application Data\third mags grid inside Trojan.Swizzor Incurável.Movido.
support plan.exe C:\Documents and Settings\All Users\Application Data\third mags grid inside Trojan.Swizzor Incurável.Movido.
fohyoirb.exe C:\Documents and Settings\Jorge Martins\Application Data\about amok Trojan.Swizzor Incurável.Movido.
owlxvvxh.exe C:\Documents and Settings\Jorge Martins\Application Data\about amok Trojan.Swizzor Incurável.Movido.
tmjeierh.exe C:\Documents and Settings\Jorge Martins\Application Data\about amok Trojan.Swizzor Incurável.Movido.
xhdskubs.exe C:\Documents and Settings\Jorge Martins\Application Data\about amok Trojan.Swizzor Incurável.Movido.
zkuhxctx.exe C:\Documents and Settings\Jorge Martins\Application Data\about amok Trojan.Swizzor Incurável.Movido.
mirc.exe C:\mIRC Program.mIRC.616 Incurável.Movido.

[Glaswegian]

Hi again

LOP is the only thing that seems to be present.

Please run combofix again, just as you did previously.

Post back with c:\combofix.txt

[Quanta123]

Hi. Heres the log:

"Jorge Martins" - 2007-05-13 14:53:51 Service Pack 2
ComboFix 07-05.11.V - Running from: "C:\Documents and Settings\Jorge Martins\Ambiente de trabalho\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-13 ))))))))))))))))))))))))))))))))))


2007-05-12 20:26 <DIR> d-------- C:\DOCUME~1\JORGEM~1\DoctorWeb
2007-05-09 19:59 <DIR> d-------- C:\Programas\SopCast
2007-05-09 19:59 <DIR> d-------- C:\DOCUME~1\JORGEM~1\APPLIC~1\SopCast
2007-05-07 21:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-06 20:20 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-06 20:20 <DIR> d-------- C:\Programas\Your Uninstaller 2006
2007-05-06 20:20 <DIR> d-------- C:\DOCUME~1\JORGEM~1\APPLIC~1\URSoft


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-12 19:54:40 -------- d-----w C:\DOCUME~1\JORGEM~1\APPLIC~1\about amok
2007-05-06 19:13:35 -------- d--h--w C:\Programas\InstallShield Installation Information
2007-05-06 19:11:55 -------- d-----w C:\Programas\GameSpy Arcade
2007-05-06 19:11:08 -------- d-----w C:\Programas\Finale 2003
2007-05-06 18:46:04 -------- d-----w C:\Programas\eMule
2007-04-25 18:48:41 -------- d-----w C:\Programas\TVU Player
2007-04-25 18:11:45 -------- d-----w C:\Programas\PartyGaming.Net
2007-03-25 17:22:30 64,140 ----a-w C:\WINDOWS\system32\perfc016.dat
2007-03-25 17:22:30 428,328 ----a-w C:\WINDOWS\system32\perfh016.dat
2007-03-17 13:43:47 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:37:34 578,560 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:37:34 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:37:34 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:33:32 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:18:52 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Programas\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
{53707962-6F74-2D53-2644-206D7942484F}=C:\DOCUME~1\JORGEM~1\AMBIEN~1\ANTI-C~1\SPYBOT~1\SDHelper.dll
{8ABC10F3-9DFD-6742-EB72-D9D7C8DD4570}=C:\WINDOWS\gacud1.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ESB"="C:\\WINDOWS\\System32\\ESB.exe"
"4mtcsb"="C:\\WINDOWS\\System32\\4mtcsb.EXE"
"PRONoMgr.exe"="C:\\Programas\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"AudioHQ"="C:\\Programas\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"Creative Launcher"="C:\\Programas\\Creative\\Launcher\\CTLauncher.exe"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"InCD"="C:\\Programas\\Ahead\\InCD\\InCD.exe"
"SunJavaUpdateSched"="C:\\Programas\\Java\\jre1.5.0\\bin\\jusched.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Programas\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESB"="C:\WINDOWS\System32\ESB.exe" [2002-12-02 02:32]
"4mtcsb"="C:\WINDOWS\System32\4mtcsb.EXE" [2002-11-29 12:45]
"PRONoMgr.exe"="C:\Programas\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 18:21]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 03:24]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 03:11]
"AudioHQ"="C:\Programas\Creative\SBLive\AudioHQ\AHQTB.EXE" [1999-04-12 02:00]
"Creative Launcher"="C:\Programas\Creative\Launcher\CTLauncher.exe" []
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 11:50]
"InCD"="C:\Programas\Ahead\InCD\InCD.exe" [2003-06-03 10:54]
"SunJavaUpdateSched"="C:\Programas\Java\jre1.5.0\bin\jusched.exe" [2004-09-03 06:50]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-23 15:04]
"QuickTime Task"="C:\Programas\QuickTime\qttask.exe" [2005-09-05 04:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"MSMSGS"="C:\Programas\Messenger\msmsgs.exe" [2004-10-13 17:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Programas\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="C:\Programas\ewido\security suite\shellhook.dll"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Documents and Settings\Jorge Martins\Ambiente de trabalho\Anti-coisas\AVG Anti-Spyware 7.5\shellexecutehook.dll"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-13 14:56:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-13 14:56:50
C:\ComboFix-quarantined-files.txt ... 2007-05-13 14:56
C:\ComboFix2.txt ... 2007-05-10 20:49
C:\ComboFix3.txt ... 2007-05-08 01:41

[Glaswegian]

Hi again

Registry Fix
Click on the zip file attached to this post to open and extract the file Quanta2.reg to your desktop. Double click on the file Quanta2.reg to run it. Answer yes to any prompts and allow it to merge into the Registry.



File Deletions
Delete the following Folder indicated in BLUE if it still exists.

C:\DOCUMENTS AND SETTINGS\JORGEM~1\APPLICATION DATA\about amok

Note: If it resists, you may have to boot to Safe Mode to delete it.


Run combofix again and post the log.

[Quanta123]

Hi. Heres the log:

"Jorge Martins" - 2007-05-13 16:54:27 Service Pack 2
ComboFix 07-05.11.V - Running from: "C:\Documents and Settings\Jorge Martins\Ambiente de trabalho\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-13 ))))))))))))))))))))))))))))))))))


2007-05-12 20:26 <DIR> d-------- C:\DOCUME~1\JORGEM~1\DoctorWeb
2007-05-09 19:59 <DIR> d-------- C:\Programas\SopCast
2007-05-09 19:59 <DIR> d-------- C:\DOCUME~1\JORGEM~1\APPLIC~1\SopCast
2007-05-07 21:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-06 20:20 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-06 20:20 <DIR> d-------- C:\Programas\Your Uninstaller 2006
2007-05-06 20:20 <DIR> d-------- C:\DOCUME~1\JORGEM~1\APPLIC~1\URSoft


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-06 19:13:35 -------- d--h--w C:\Programas\InstallShield Installation Information
2007-05-06 19:11:55 -------- d-----w C:\Programas\GameSpy Arcade
2007-05-06 19:11:08 -------- d-----w C:\Programas\Finale 2003
2007-05-06 18:46:04 -------- d-----w C:\Programas\eMule
2007-04-25 18:48:41 -------- d-----w C:\Programas\TVU Player
2007-04-25 18:11:45 -------- d-----w C:\Programas\PartyGaming.Net
2007-03-25 17:22:30 64,140 ----a-w C:\WINDOWS\system32\perfc016.dat
2007-03-25 17:22:30 428,328 ----a-w C:\WINDOWS\system32\perfh016.dat
2007-03-17 13:43:47 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:37:34 578,560 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:37:34 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:37:34 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:33:32 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:18:52 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Programas\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
{53707962-6F74-2D53-2644-206D7942484F}=C:\DOCUME~1\JORGEM~1\AMBIEN~1\ANTI-C~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ESB"="C:\\WINDOWS\\System32\\ESB.exe"
"4mtcsb"="C:\\WINDOWS\\System32\\4mtcsb.EXE"
"PRONoMgr.exe"="C:\\Programas\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"AudioHQ"="C:\\Programas\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"Creative Launcher"="C:\\Programas\\Creative\\Launcher\\CTLauncher.exe"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"InCD"="C:\\Programas\\Ahead\\InCD\\InCD.exe"
"SunJavaUpdateSched"="C:\\Programas\\Java\\jre1.5.0\\bin\\jusched.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Programas\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESB"="C:\WINDOWS\System32\ESB.exe" [2002-12-02 02:32]
"4mtcsb"="C:\WINDOWS\System32\4mtcsb.EXE" [2002-11-29 12:45]
"PRONoMgr.exe"="C:\Programas\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 18:21]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 03:24]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 03:11]
"AudioHQ"="C:\Programas\Creative\SBLive\AudioHQ\AHQTB.EXE" [1999-04-12 02:00]
"Creative Launcher"="C:\Programas\Creative\Launcher\CTLauncher.exe" []
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 11:50]
"InCD"="C:\Programas\Ahead\InCD\InCD.exe" [2003-06-03 10:54]
"SunJavaUpdateSched"="C:\Programas\Java\jre1.5.0\bin\jusched.exe" [2004-09-03 06:50]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-23 15:04]
"QuickTime Task"="C:\Programas\QuickTime\qttask.exe" [2005-09-05 04:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"MSMSGS"="C:\Programas\Messenger\msmsgs.exe" [2004-10-13 17:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Programas\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="C:\Programas\ewido\security suite\shellhook.dll"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Documents and Settings\Jorge Martins\Ambiente de trabalho\Anti-coisas\AVG Anti-Spyware 7.5\shellexecutehook.dll"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-13 16:56:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-13 16:56:26
C:\ComboFix-quarantined-files.txt ... 2007-05-13 16:56
C:\ComboFix2.txt ... 2007-05-13 14:56
C:\ComboFix3.txt ... 2007-05-10 20:49

[Glaswegian]

I assume that nothing has changed?

[Quanta123]

Yes, nothing changed. I still cant remove StrongestOptimizer and browser still shuts down in some cases, like the HJT Log Help, and the downloads of Gmer, HJT and Avenger.

I ran a search on Google for StrongestOptimizer and i came across a couple of sites.

The first one is this which claims it can remove StrongestOptimizer (in the google search page). Is it trustworthy?

The second is this where there is a talk about the subject, but both my italian and computer skills are not very good so i thought i shouldnt risk trying some programs sugested. I did try Your Uninstaller (even without Gmer) but it didnt work.

As far as i can tell my problem is unique, for i cant download Gmer, HJT or Avenger.

[Glaswegian]

Hi again

Click on the zip file attached to this post to open and extract the file regfix3.reg to your desktop. Double click on the file regfix3.reg to run it. Answer yes to any prompts and allow it to merge into the Registry.


Now go to Start > Run and type in catchme in the run box and click OK.

Post back with the log produced.

[Quanta123]

Hi Glaswegian. Thx for help so far.

Something curious happened. When i typed catchme on the Run, the whole Run window disappeared and all the icons on desktop disappeared, as for the start bar. Then all came back, except the Run window. I tried to find the log in the desktop and in c:\ but no luck. I assume it restarted the Windows Explorer, though not shure. I tried again, but faster, and a window appeared for just a second, and quickly shut down. No log.

Now i cant see Run because catchme is written there and i dont have time to change it before the window disappears.

[sUBs]

Navigate to this directory - C:\Windows

Locate & rename catchme.exe to KMD.exe.

Then doubleclick on it.

[Quanta123]

Hi sUBs. Cant rename the file.

I can right-click on the file but if i try to change name i get the same thing: window closes, desktop icons and start-bar disappear, then all reappears, except c:\windows.

[sUBs]

I have fixed the link for regdump.exe. Please try it now

[Quanta123]

The regdump log is attached.

[Glaswegian]

Hi again

Click on the zip file attached to this post to open and extract the file quanta123.bat to your desktop. Double click on the file quanta.bat to run it. A window will open and close quickly - this is normal. Now reboot your PC and let me know if things are any better.

[Quanta123]

Hi Glaswegian.

Its all the same. Cant remove StrongestOptimizer and also cant google for HJT (if i write all). I did a printscreen (its attached) the moment the program window appeared. It may help.

[Glaswegian]

Can you see if this file is still on your system

c:\windows\system32\orfihdrh.bak

[Quanta123]

Yes it is.

[Glaswegian]

OK

Try again with this batch file - same as before - should work this time...

If possible can I ask you to stay online for a few minutes after you've posted...