Tech Support Forum banner
Cancel

XPPRo issues

Jump to Latest Follow
Status
Not open for further replies.
1 - 20 of 40 Posts
T

· Registered
Joined
·
40 Posts
Discussion Starter · #1 ·
I think my XPPro install is infected. For 3 or 4 months this 3GB PC has been behaving badly--frequent BSOD's, disconnects from internet, loss of email account, lost sound card/recovers with reboot, and so forth. I have run MalWareBytes in both normal andSafe mode (found 6 threats on first scan in Normal mode), AVG antivirus multiple times with no infections found.

Submitted my machine to a scan by a utility from XPP:{ro forum (I will try to attach((failed--no response to Manage Attachments link))) and nothing bad found there except maybe an older 80 GB harddrive. The harddrive has passed WDigital test so I doubt it's the problem. The techies on that forum suggested I move here; that I have a virus problem.

Yesterday my outgoing eMail account (Comcast) was shut down; I dealt with Comcast to get it opened via changing the outgoing port which I understand is a telltale sign of virus issues.

I have gone to a different computer and changed financial login info. Now I wish to proceed with the kill or cure program--I am totally fed up with this flaming machine!!

Tell me what to do--I attempted to download the "D something scan tool but only got adverts--no legitimate looking link.
 
T

· Registered
Joined
·
40 Posts
Discussion Starter · #2 ·
Results of DDS and GMER scans :
This computer has shown many odd behaviours. Frequent BSOD's with varying error messages. Frequent failure of FireFox browser. Inability to open pdf's while browsing even though the Acrobat Reader 10 is installed and I also have Adobe Acrobat. I lose my sound card--it is shown as installed and operating in Device Manager but no audio device shows in Sounds and Audio and although I do get System sounds I lose streaming radio or music player sound. This is repaired by stopping and rebooting. I have the three files from the DDS and GMER scans and will attmept to attach them--note that my Antivirus program (AVG) only allows 15 minutes deactivation and the scan took about 45 so on two occasions while the scan was running I opened AVG and extended the disablement

Now another odd symptom--cannot make attachments--the Manage Attachments button does not produce results nor can I paste my DDS text file into this message. Please advise how to proceed.
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#3 ·
Hello tomstearns,

Try booting into Safe Mode with Networking and see if you can work better that way. If not, can you save the logs to a flash drive, then go to another computer to post them to us?
 
Save Share
T

· Registered
Joined
·
40 Posts
Discussion Starter · #5 · (Edited by Moderator)
That time your website worked. Here's a final try for the text file:

Please be advised that when I joined this Forum I ran Win2KSP 4; I am now running XPPro SP3 on a different machine.

I ran MalwareByte with fresh download this evening and just completed a run with SuperAntiSpyware which found a bunch of cookies and two level 5 (out of 10) threats ie a Rogue Gen-NULLO/BIN and a Trojan Agent Gen-NULLO/Short.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by T H Stearns at 15:02:02.95 on Tue 04/12/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1308 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\T H Stearns\Local Settings\Temporary Internet Files\Content.IE5\FAABDQ5E\dds[1].scr
.
============== Pseudo HJT Report ===============
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uURLSearchHooks: NCH EN Toolbar: {37483b40-c254-4a72-bda4-22ee90182c1e} - c:\program files\nch_en\prxtbNCH0.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: NCH EN Toolbar: {37483b40-c254-4a72-bda4-22ee90182c1e} - c:\program files\nch_en\prxtbNCH0.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: NCH EN Toolbar: {37483b40-c254-4a72-bda4-22ee90182c1e} - c:\program files\nch_en\prxtbNCH0.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [EPSON Stylus Photo 2200] c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE /P23 "EPSON Stylus Photo 2200" /O6 "USB002" /M "Stylus Photo 2200"
mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office 2002\programs\QFSCHD100.EXE"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
StartupFolder: c:\docume~1\thstea~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: mcafee.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,6212/mcfscan.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\thstea~1\applic~1\mozilla\firefox\profiles\szlw4l3y.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32464]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 296400]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-2-15 7421280]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
S2 BT848;AVerMedia AVerTV WDM Video Capture (878);c:\windows\system32\drivers\bt848.sys --> c:\windows\system32\drivers\Bt848.sys [?]
S2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-4-8 947528]
S3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys --> c:\windows\system32\drivers\cmudax.sys [?]
S3 cpudrv;cpudrv;\??\c:\program files\systemrequirementslab\cpudrv.sys --> c:\program files\systemrequirementslab\cpudrv.sys [?]
S3 dfg;dfg;c:\windows\system32\drivers\dfg.sys [2011-3-9 23552]
S3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\system32\drivers\hcw72ADFilter.sys [2011-3-16 28928]
S3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\system32\drivers\hcw72ATV.sys [2011-3-16 1217920]
S3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\system32\drivers\hcw72DTV.sys [2011-3-16 1220224]
S3 HwIOctl;HwIOctl;\??\c:\documents and settings\t h stearns\desktop\drivers\hwioctl.sys --> c:\documents and settings\t h stearns\desktop\drivers\HwIOctl.sys [?]
.
=============== Created Last 30 ================
.
2011-04-10 14:41:42 -------- d-----w- c:\docume~1\thstea~1\locals~1\applic~1\ConduitEngine
2011-04-10 14:41:41 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-04-10 14:41:41 -------- d-----w- c:\program files\ConduitEngine
2011-04-09 19:35:34 -------- d-----w- c:\docume~1\thstea~1\applic~1\Malwarebytes
2011-04-09 19:35:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 19:35:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-09 19:35:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-09 19:35:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-08 20:55:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2011-04-08 18:32:45 5632 -c--a-w- c:\windows\system32\dllcache\smimsgif.dll
2011-04-08 18:32:45 5632 -c--a-w- c:\windows\system32\dllcache\smierrsy.dll
2011-04-08 18:32:45 5632 ----a-w- c:\windows\system32\wbem\snmp\smimsgif.dll
2011-04-08 18:32:45 5632 ----a-w- c:\windows\system32\wbem\snmp\smierrsy.dll
2011-04-08 18:32:45 15872 -c--a-w- c:\windows\system32\dllcache\smierrsm.dll
2011-04-08 18:32:45 15872 ----a-w- c:\windows\system32\wbem\snmp\smierrsm.dll
2011-04-08 18:32:45 10240 -c--a-w- c:\windows\system32\dllcache\snmpstup.dll
2011-04-08 18:32:45 10240 ----a-w- c:\windows\system32\wbem\snmpstup.dll
2011-04-08 14:44:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\RegSERVO
2011-04-08 14:44:18 -------- d-----w- c:\program files\REGSERVO
2011-04-07 01:01:20 -------- d-----w- c:\docume~1\thstea~1\locals~1\applic~1\Microsoft Corporation
2011-04-04 07:59:54 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-04-02 00:33:04 65536 ------w- c:\windows\system32\adistres.dll
2011-04-02 00:33:04 20584 ------w- c:\windows\system32\PdfPorts.dll
2011-04-02 00:33:00 225280 ------w- c:\program files\internet explorer\plugins\NPDocBox.dll
2011-04-02 00:32:58 101200 ------w- c:\windows\system32\pdfshell.dll
2011-04-02 00:32:46 -------- d-----w- c:\windows\system32\Adobe
2011-04-02 00:30:50 -------- d-----w- c:\windows\SxsCaPendDel
2011-04-01 19:28:24 -------- d-----w- C:\spoolerlogs
2011-03-28 00:11:11 -------- d-----w- c:\windows\system32\drivers\AVG
2011-03-27 01:13:19 -------- d-----w- c:\docume~1\thstea~1\applic~1\NCH Software
2011-03-16 18:48:25 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-03-16 18:48:25 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-03-16 18:48:24 38672 ----a-w- c:\windows\system32\pcleUtil.dll
2011-03-16 18:48:23 142337 ----a-w- c:\windows\system32\Wait.exe
2011-03-16 18:47:30 831554 ----a-w- c:\windows\system32\hcwtvwnd.dll
2011-03-16 18:47:30 36921 ----a-w- c:\windows\system32\hcwutl32.dll
2011-03-16 18:47:30 323640 ----a-w- c:\windows\system32\hcwpnp32.dll
2011-03-16 18:47:30 118840 ----a-w- c:\windows\system32\hcwi2c32.dll
2011-03-16 18:47:16 1220224 ----a-w- c:\windows\system32\drivers\hcw72DTV.sys
2011-03-16 18:47:11 28928 ----a-w- c:\windows\system32\drivers\hcw72ADFilter.sys
2011-03-16 18:47:08 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2011-03-16 18:47:08 15232 ----a-w- c:\windows\system32\drivers\MPE.sys
2011-03-16 18:46:58 95744 ----a-w- c:\windows\system32\hcwcpxx.ax
2011-03-16 18:46:58 44032 ----a-w- c:\windows\system32\hcw72Co.dll
2011-03-16 18:46:57 1217920 ----a-w- c:\windows\system32\drivers\hcw72ATV.sys
2011-03-16 18:46:54 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll
2011-03-16 18:46:54 363520 ----a-w- c:\windows\system32\PsisDecd.dll
2011-03-16 18:46:54 33280 ----a-w- c:\windows\system32\PsisRndr.ax
2011-03-16 18:46:53 56832 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-03-16 18:46:52 18432 ----a-w- c:\windows\system32\BdaPlgIn.ax
2011-03-16 18:46:52 11776 -c--a-w- c:\windows\system32\dllcache\bdasup.sys
2011-03-16 18:46:52 11776 ----a-w- c:\windows\system32\drivers\BdaSup.sys
2011-03-16 18:46:20 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2011-03-16 18:46:20 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2011-03-16 18:38:08 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-03-16 18:38:08 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
.
==================== Find3M ====================
.
2011-03-05 20:45:48 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-03-05 20:45:48 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-02-12 00:48:31 252080 ------w- c:\windows\system32\nvdrsdb1.bin
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 23:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-20 15:02:54 249856 ------w- c:\windows\Setup1.exe
2011-01-20 15:02:53 73216 ------w- c:\windows\ST6UNST.EXE
2004-08-04 12:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2010-09-18 06:53:25 974848 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:01 343040 --sh--w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
============= FINISH: 15:02:54.42 ===============
 

Attachments

Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#6 ·
Thank you, and I see the culprit.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications

Regarding AVG - Due to recent changes in AVG and how it interacts with ComboFix, before running ComboFix, AVG must be uninstalled via Start>Control Panel>Add or Remove programs panel.

If you have difficulty uninstalling AVG, download Opswat AppRemover for AVG. The download for the AVG uninstaller can be found here > http://www.appremover.com/appremover/avg/AppRemover.exe



====================================================


Double click on ComboFix.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
 
Save Share
T

· Registered
Joined
·
40 Posts
Discussion Starter · #7 ·
Can't uninstall AVG completely and CombiFix won't run with it partially out as it is. Tryed to re-install AVG in order to get it out of its lockup but that also failed. There is an installation log somewhere; perhaps I can upload it to this post. How to I proceed with CombiFix, or is there another utility I should use in this case?
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#8 ·
Did you try the uninstaller I posted the link for? If so, then try AVG's uninstaller AVG - Download tools you want the 32-bit uninstaller.
 
Save Share
T

· Registered
Joined
·
40 Posts
Discussion Starter · #9 · (Edited by Moderator)
Ried: Here is the ComboFix log file. Somehow in the flurry of pop-up ads and this computer jittering around with its insanities I missed the Uninstall tool which quickly fixed AVG.

ComboFix 11-04-12.02 - T H Stearns 04/13/2011 7:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1578 [GMT -4:00]
Running from: c:\documents and settings\T H Stearns\My Documents\Downloads\ComboFix.exe
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\T H Stearns\WINDOWS
c:\windows\system32\drivers\dfg.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_dfg
.
.
((((((((((((((((((((((((( Files Created from 2011-03-13 to 2011-04-13 )))))))))))))))))))))))))))))))
.
.
2011-04-13 00:18 . 2011-04-13 00:18 -------- d-----w- c:\documents and settings\T H Stearns\Application Data\SUPERAntiSpyware.com
2011-04-13 00:18 . 2011-04-13 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-13 00:18 . 2011-04-13 00:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-12 11:07 . 2011-04-12 11:08 -------- d-----w- c:\documents and settings\Administrator
2011-04-10 14:41 . 2011-04-10 14:42 -------- d-----w- c:\documents and settings\T H Stearns\Local Settings\Application Data\ConduitEngine
2011-04-10 14:41 . 2011-04-10 14:41 -------- d-----w- c:\program files\ConduitEngine
2011-04-10 14:41 . 2011-04-10 14:41 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-04-09 19:35 . 2011-04-09 19:35 -------- d-----w- c:\documents and settings\T H Stearns\Application Data\Malwarebytes
2011-04-09 19:35 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 19:35 . 2011-04-09 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-09 19:35 . 2011-04-09 19:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-09 19:35 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-08 18:32 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\smimsgif.dll
2011-04-08 18:32 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\smierrsy.dll
2011-04-08 18:32 . 2004-08-04 12:00 5632 ----a-w- c:\windows\system32\wbem\snmp\smimsgif.dll
2011-04-08 18:32 . 2004-08-04 12:00 5632 ----a-w- c:\windows\system32\wbem\snmp\smierrsy.dll
2011-04-08 18:32 . 2004-08-04 12:00 15872 -c--a-w- c:\windows\system32\dllcache\smierrsm.dll
2011-04-08 18:32 . 2004-08-04 12:00 15872 ----a-w- c:\windows\system32\wbem\snmp\smierrsm.dll
2011-04-08 18:32 . 2004-08-04 12:00 10240 -c--a-w- c:\windows\system32\dllcache\snmpstup.dll
2011-04-08 18:32 . 2004-08-04 12:00 10240 ----a-w- c:\windows\system32\wbem\snmpstup.dll
2011-04-08 14:44 . 2011-04-08 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\RegSERVO
2011-04-08 14:44 . 2011-04-08 14:44 -------- d-----w- c:\program files\REGSERVO
2011-04-07 01:01 . 2011-04-07 01:01 -------- d-----w- c:\documents and settings\T H Stearns\Local Settings\Application Data\Microsoft Corporation
2011-04-04 07:59 . 2011-02-03 01:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-03 23:34 . 2011-04-03 23:34 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-04-02 00:33 . 2001-03-15 09:18 20584 ------w- c:\windows\system32\PdfPorts.dll
2011-04-02 00:33 . 2001-03-15 09:18 65536 ------w- c:\windows\system32\adistres.dll
2011-04-02 00:33 . 2001-01-30 17:56 225280 ------w- c:\program files\Internet Explorer\PLUGINS\NPDocBox.dll
2011-04-02 00:32 . 2001-03-15 08:55 101200 ------w- c:\windows\system32\pdfshell.dll
2011-04-02 00:32 . 2011-04-02 00:32 -------- d-----w- c:\windows\system32\Adobe
2011-04-02 00:31 . 2011-04-02 00:31 -------- d-----w- c:\documents and settings\T H Stearns\Application Data\InterTrust
2011-04-02 00:30 . 2011-04-02 15:24 -------- d-----w- c:\windows\SxsCaPendDel
2011-04-01 19:28 . 2011-04-01 19:28 -------- d-----w- C:\spoolerlogs
2011-03-27 01:13 . 2011-03-27 01:13 -------- d-----w- c:\documents and settings\T H Stearns\Application Data\NCH Software
2011-03-27 00:40 . 2011-03-27 00:40 -------- d-----w- c:\documents and settings\T H Stearns\Application Data\Recordpad
2011-03-24 15:13 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-03-19 16:10 . 2011-03-19 16:10 -------- d-----w- c:\program files\Common Files\Java
2011-03-19 16:01 . 2011-03-19 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-03-16 18:48 . 2008-06-30 14:02 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-03-16 18:48 . 2008-06-30 14:02 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-03-16 18:48 . 2009-08-12 15:37 38672 ----a-w- c:\windows\system32\pcleUtil.dll
2011-03-16 18:48 . 2009-01-28 15:52 142337 ----a-w- c:\windows\system32\Wait.exe
2011-03-16 18:47 . 2010-09-27 19:38 323640 ----a-w- c:\windows\system32\hcwpnp32.dll
2011-03-16 18:47 . 2010-08-26 22:07 118840 ----a-w- c:\windows\system32\hcwi2c32.dll
2011-03-16 18:47 . 2009-02-17 03:09 831554 ----a-w- c:\windows\system32\hcwtvwnd.dll
2011-03-16 18:47 . 2006-10-10 22:47 36921 ----a-w- c:\windows\system32\hcwutl32.dll
2011-03-16 18:47 . 2010-04-23 15:52 1220224 ----a-w- c:\windows\system32\drivers\hcw72DTV.sys
2011-03-16 18:47 . 2010-04-23 15:47 28928 ----a-w- c:\windows\system32\drivers\hcw72ADFilter.sys
2011-03-16 18:47 . 2008-04-13 17:46 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2011-03-16 18:47 . 2008-04-13 17:46 15232 ----a-w- c:\windows\system32\drivers\MPE.sys
2011-03-16 18:46 . 2010-04-23 10:47 44032 ----a-w- c:\windows\system32\hcw72Co.dll
2011-03-16 18:46 . 2008-05-20 17:37 95744 ----a-w- c:\windows\system32\hcwcpxx.ax
2011-03-16 18:46 . 2010-04-23 15:48 1217920 ----a-w- c:\windows\system32\drivers\hcw72ATV.sys
2011-03-16 18:46 . 2008-04-13 23:12 33280 ----a-w- c:\windows\system32\PsisRndr.ax
2011-03-16 18:46 . 2008-04-13 23:12 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll
2011-03-16 18:46 . 2008-04-13 23:12 363520 ----a-w- c:\windows\system32\PsisDecd.dll
2011-03-16 18:46 . 2008-04-13 23:12 56832 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-03-16 18:46 . 2008-04-13 23:12 18432 ----a-w- c:\windows\system32\BdaPlgIn.ax
2011-03-16 18:46 . 2008-04-13 17:46 11776 -c--a-w- c:\windows\system32\dllcache\bdasup.sys
2011-03-16 18:46 . 2008-04-13 17:46 11776 ----a-w- c:\windows\system32\drivers\BdaSup.sys
2011-03-16 18:46 . 2008-04-13 17:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2011-03-16 18:46 . 2008-04-13 17:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2011-03-16 18:38 . 2008-04-13 17:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-03-16 18:38 . 2008-04-13 17:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2010-12-26 02:37 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-12-26 03:01 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-04 12:00 978944 --sh--w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-03 01:40 . 2010-12-26 23:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 23:19 . 2010-12-26 22:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2010-12-26 02:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-12-26 02:35 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-20 15:02 . 2011-01-20 15:02 249856 ------w- c:\windows\Setup1.exe
2011-01-20 15:02 . 2011-01-20 15:02 73216 ------w- c:\windows\ST6UNST.EXE
2011-03-18 17:53 . 2011-04-09 11:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2004-08-04 12:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343040 --sh--w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{37483b40-c254-4a72-bda4-22ee90182c1e}"= "c:\program files\NCH_EN\prxtbNCH0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37483b40-c254-4a72-bda4-22ee90182c1e}]
2011-01-17 14:54 175912 ----a-w- c:\program files\NCH_EN\prxtbNCH0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{37483b40-c254-4a72-bda4-22ee90182c1e}"= "c:\program files\NCH_EN\prxtbNCH0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{37483B40-C254-4A72-BDA4-22EE90182C1E}"= "c:\program files\NCH_EN\prxtbNCH0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{37483b40-c254-4a72-bda4-22ee90182c1e}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-03-17 107000]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-16 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-10-15 1818624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"EPSON Stylus Photo 2200"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-07-01 74752]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" [2001-10-02 77887]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
.
c:\documents and settings\T H Stearns\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2011-4-1 49254]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-23 415072]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
.
[HKLM\~\startupfolder\C:^Documents and Settings^T H Stearns^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\T H Stearns\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWT myPrintMileage Agent]
2005-01-26 08:45 102400 ------w- c:\program files\Hewlett-Packard\HP Business Inkjet 1000\Toolbox\mpm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
2011-03-17 19:22 107000 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 18:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:peer Name Resolution Protocol (PNRP)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
S2 BT848;AVerMedia AVerTV WDM Video Capture (878);c:\windows\system32\drivers\Bt848.sys --> c:\windows\system32\drivers\Bt848.sys [?]
S2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 8:00 AM 14336]
S3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys --> c:\windows\system32\drivers\cmudax.sys [?]
S3 cpudrv;cpudrv;\??\c:\program files\SystemRequirementsLab\cpudrv.sys --> c:\program files\SystemRequirementsLab\cpudrv.sys [?]
S3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\system32\drivers\hcw72ADFilter.sys [3/16/2011 2:47 PM 28928]
S3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\system32\drivers\hcw72ATV.sys [3/16/2011 2:46 PM 1217920]
S3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\system32\drivers\hcw72DTV.sys [3/16/2011 2:47 PM 1220224]
S3 HwIOctl;HwIOctl;\??\c:\documents and settings\T H Stearns\Desktop\Drivers\HwIOctl.sys --> c:\documents and settings\T H Stearns\Desktop\Drivers\HwIOctl.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-27 c:\windows\Tasks\expressripShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2010-12-27 17:00]
.
2011-04-08 c:\windows\Tasks\RegSERVO.job
- c:\program files\REGSERVO\RegSERVO.exe [2010-08-19 16:45]
.
2011-04-10 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-03-27 00:47]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: mcafee.com
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
FF - ProfilePath - c:\documents and settings\T H Stearns\Application Data\Mozilla\Firefox\Profiles\szlw4l3y.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
AddRemove-Adobe Flash Player Plugin - c:\windows\system32\Macromed\Flash\FlashUtil10l_Plugin.exe
AddRemove-Copy Utility - c:\program files\EPSON\Copy Utility\Uninst.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-13 07:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1004336348-1275210071-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3244)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\windows\Mixer.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\System32\snmp.exe
.
**************************************************************************
.
Completion time: 2011-04-13 07:41:51 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-13 11:41
.
Pre-Run: 34,673,332,224 bytes free
Post-Run: 35,120,279,552 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 3996219C7AF3FE72E0D02FC9358238FE
 

Attachments

Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#10 ·
ComboFix took care of the service and driver I had my eye on - how is the machine behaving now? Any improvement?
 
Save Share
T

· Registered
Joined
·
40 Posts
Discussion Starter · #11 ·
Don't know yet, Ried--working on it. This damn machine has more than just split personality so gotta let her misbehave and see how bad. Seems faster shutting down and rebooting; I am reloading antivirus and trying to figure out what ails the Adobe Reader program.

What driver issue did you see?
 
T

· Registered
Joined
·
40 Posts
Discussion Starter · #12 ·
Ried: Am having problems with Acrobat Reader--don't know if thisis a virus issue but here's the error message. I attempted to uninstall Reader 10 and 6.1 but could not extract 6.1 because of whatever this message is trying to say. Am now reinstalling 10 but once again this message
 

Attachments

T

· Registered
Joined
·
40 Posts
Discussion Starter · #14 ·
Ried: Because of virus issues I am using a different machine for access to financials--can you comment on whether the virus issue is resolved or not?

My impression so far is that the machine is running better. Been several hours with no BSOD. Puzzled about the Reader hangup (old) and AVG problem (new).
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#15 ·
Let's get an online scan done at Eset to see if any remnants are lurking about. After that, we'll work on Acrobat Reader and AVG.

Please go to here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
 
Save Share
T

· Registered
Joined
·
40 Posts
Discussion Starter · #16 ·
Ried:

Experienced an unattended BSOD just before getting your message; said NTFS.SYS error Page_Fault_in_Non_Page_Area; then another while trying to launch IE to send you the scan results below: CQRL_Not_Less_Or_EQUAL plus Generic Host Process System 32 warning on entering IE.

ESEt scan log:C:\System Volume Information\_restore{664C88DC-1D4F-4076-9A9F-E80F1D768720}\RP120\A0029770.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{664C88DC-1D4F-4076-9A9F-E80F1D768720}\RP120\A0029771.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{664C88DC-1D4F-4076-9A9F-E80F1D768720}\RP120\A0029772.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{664C88DC-1D4F-4076-9A9F-E80F1D768720}\RP120\A0029773.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{664C88DC-1D4F-4076-9A9F-E80F1D768720}\RP120\A0029774.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{664C88DC-1D4F-4076-9A9F-E80F1D768720}\RP122\A0029810.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{664C88DC-1D4F-4076-9A9F-E80F1D768720}\RP122\A0029811.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{664C88DC-1D4F-4076-9A9F-E80F1D768720}\RP122\A0029812.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{664C88DC-1D4F-4076-9A9F-E80F1D768720}\RP122\A0029813.rbf Win32/RegistryBooster application
C:\System Volume Information\_restore{664C88DC-1D4F-4076-9A9F-E80F1D768720}\RP122\A0029814.rbf Win32/RegistryBooster application
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#17 ·
All of those detections are in your system restore cache. We'll take care of those when we're finished.

Have you run chkdsk yet? If not, I would recommend it. Make sure you do not need your computer for at least 12 hours before proceeding with this step. This scan may take that long and cannot be aborted. I reccomend you run it overnight.

Click Start>Run and type in chkdsk /r

If it asks you to run chkdsk on restart please click yes, and restart your computer. This will check your hard drive for errors, and correct any minor errors it finds.
 
Save Share
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#19 ·
Save Share
T

· Registered
Joined
·
40 Posts
Discussion Starter · #20 ·
Ried:

Both of your links taker me to the same page full of ads and a download link to get something about Driver Updates.

I have the original, said-to-be-authentic Windows XP Pro with SP2 disc. Is that enough?>
 
1 - 20 of 40 Posts
Status
Not open for further replies.
About this Discussion
39 Replies
2 Participants
Last post:
Ried
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top