Solved Trojan.injector....

Status
Not open for further replies.
D

DCMedia

Posts: 7   +0
Got his last night on both pcs along with another trojan.
reformatted the 1 PC, but this PC i'm on now I cannot reformat because of no recovery disc.

the one trojan was removed but on a second scan with Super Anti Spyware, the original trojan.injector was still present.

Ran SAS again and the trojan finally wasnt showing up.

Ran MAB and its not showing up and its not showing up on Avira either.

I just want to make sure this is cleaned off of my system so I did the 8 steps, here are the logs, but I am also going to scan once more with Avira, MAB and SAS.


Thanks for any help.


MAB---------------------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6068

Windows 6.0.6000
Internet Explorer 7.0.6000.17037

3/16/2011 10:59:23 AM
mbam-log-2011-03-16 (10-59-23).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 313919
Time elapsed: 1 hour(s), 42 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



GMER---------------------------------------

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-03-16 13:48:02
Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST316081 rev.3.AD
Running: e3kimqtj.exe; Driver: C:\Users\User\AppData\Local\Temp\pxtdapob.sys


---- System - GMER 1.0.15 ----

Code 8B07CBFC ZwTraceEvent
Code 8B07CBFB NtTraceEvent
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

---- EOF - GMER 1.0.15 ----



DDS---------------

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by User at 13:52:14.38 on Wed 03/16/2011
Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1013.332 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\taskeng.exe
C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\McAfee Security Scan\2.0.181\McUICnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\User\Documents\New Folder (2)\dds.scr
C:\Windows\System32\osk.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Corel File Shell Monitor] c:\program files\corel\corel paintshop photo pro\x3\pspclassic\CorelIOMonitor.exe
mRun: [NeroRebootSetup] "c:\users\user\appdata\local\temp\nro.tmp\SetupX.exe" SC -Reboot PIINSTALLTYPE="0"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\zw72x8co.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\users\user\appdata\roaming\mozilla\firefox\profiles\zw72x8co.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint(145).dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\user\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\user\appdata\roaming\mozilla\firefox\profiles\zw72x8co.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-14 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-2 301528]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-3-23 224240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-3-3 30112]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-11-2 22016]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2006-11-15 464264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-2 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-9-2 53592]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-3-14 42184]
R2 Viewpoint Service;Viewpoint Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-22 30152]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-7-25 114952]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-1-12 125672]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]
S2 gupdate1ca08a1186aedbc;Google Update Service (gupdate1ca08a1186aedbc);c:\program files\google\update\GoogleUpdate.exe [2009-7-19 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-11-2 22016]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== Created Last 30 ================
.
2011-03-16 01:19:06 5016 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-03-15 02:08:17 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
.
==================== Find3M ====================
.
2011-02-23 14:04:21 40648 ----a-w- c:\windows\avastSS.scr
2011-01-05 04:40:32 36864 ----a-w- C:\nphssb.dll
2011-01-05 04:39:59 184320 ----a-w- c:\windows\system32\OESICore.dll
2011-01-05 04:39:58 45056 ----a-w- c:\windows\system32\HSSICore.dll
2011-01-05 04:39:58 40960 ----a-w- c:\windows\system32\HS_live.ocx
2011-01-05 04:38:39 98136 ----a-w- c:\windows\gzip.exe
.
============= FINISH: 13:53:01.16 ===============



-DDS ATTACH------------------------------------------

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume3
Install Date: 11/15/2006 12:04:33 PM
System Uptime: 3/15/2011 9:10:56 PM (16 hours ago)
.
Motherboard: Dell Inc. | | 0WG864
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Microprocessor | 2992/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 139 GiB total, 70.027 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 7.019 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0000
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0000
Service: tunnel
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
545 Studios Skinstaller (remove only)
AAC Decoder
AC3Filter (remove only)
Acrobat.com
Adobe AIR
Adobe Community Help
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Photoshop CS5
Adobe Reader 9.3
Adobe Shockwave Player 11.5
Advertising Center
AIMutation (remove only)
Akamai NetSession Interface
AOL Instant Messenger
Apple Application Support
Apple Software Update
Ashampoo Burning Studio 6 FREE
Astroburn Lite
Audacity 1.3.9 (Unicode)
AutoUpdate
avast! Free Antivirus
Backyard Skateboarding
CCleaner (remove only)
COMODO Internet Security
Contents
Corel PaintShop Photo Pro X3
DeviceIO
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DolbyFiles
GIMP 2.6.7
Google Chrome
Google SketchUp 7
Google Update Helper
H.264 Decoder
Homestead SiteBuilder
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ICA
ImagXpress
ImgBurn
Intel(R) Graphics Media Accelerator Driver
IPM_PSP_Pro
Java Auto Updater
Java(TM) 6 Update 21
KeyScrambler
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
Menu Templates - Starter Kit
Microsoft .NET Framework 3.5 SP1
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual J# 2.0 Redistributable Package
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
MKV Splitter
Movie Templates - Starter Kit
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 9 Trial
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero Disc Copy Gadget
Nero DiscSpeed
Nero DriveSpeed
Nero InfoTool
Nero Installer
Nero Live
Nero PhotoSnap
Nero Recode
Nero Rescue Agent
Nero ShowTime
Nero StartSmart
Nero Vision
Nero WaveEditor
NeroBurningROM
NeroExpress
NeroLiveGadget
neroxml
Paint.NET v3.36
PDF Settings CS5
PhoTags Express
PSPPContent
PSPPRO_DCRAW
PureHD
QuickTime
Recuva
Sandboxie 3.52
SANYO USB Modem SY03 Driver
Security Update for Windows Media Encoder (KB954156)
Setup
Share
SoundTrax
SUPERAntiSpyware Free Edition
System Requirements Lab
Uninstall Dual Mode Camera
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.762
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VIO
VLC media player 0.9.9
Winamp
Windows Media Encoder 9 Series
Windows Media Player Firefox Plugin
WinRAR archiver
ZoneAlarm Spy Blocker Toolbar
.
==== End Of File ===========================
 
Welcome to TechSpot! I'll help with the system.

First, you are loading processes for 3 antivirus programs:
Avast
Comodo (Internet Security)
McAfee
I also noted a ZoneAlarm Toolbar.
Please remove two of them. Reboot the computer when done.
========================================
Instead of the rescans you suggested, please do these:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
  10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
  11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
===========================================
Download Combofix to your desktop from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
Thank you sir



online scan-
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application



combofix-

ComboFix 11-03-16.06 - User 03/17/2011 18:41:33.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1013.317 [GMT -4:00]
Running from: c:\users\User\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-17 to 2011-03-17 )))))))))))))))))))))))))))))))
.
.
2011-03-17 22:38 . 2011-03-17 22:38 -------- d-----w- C:\32788R22FWJFW
2011-03-16 19:30 . 2011-03-16 19:30 -------- d-----w- c:\program files\ESET
2011-03-16 01:19 . 2011-03-17 17:59 5016 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-03-15 02:08 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-23 14:04 . 2010-09-02 16:29 40648 ----a-w- c:\windows\avastSS.scr
2011-02-23 14:04 . 2010-09-02 16:29 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-23 13:56 . 2010-09-02 16:30 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-23 13:55 . 2010-09-02 16:30 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-23 13:55 . 2010-09-02 16:30 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-23 13:55 . 2010-09-02 16:30 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-02-23 13:54 . 2010-09-02 16:30 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-01-05 04:40 . 2011-01-05 04:51 36864 ----a-w- C:\nphssb.dll
2011-01-05 04:39 . 2011-01-05 04:51 184320 ----a-w- c:\windows\system32\OESICore.dll
2011-01-05 04:39 . 2011-01-05 04:51 45056 ----a-w- c:\windows\system32\HSSICore.dll
2011-01-05 04:39 . 2011-01-05 04:51 40960 ----a-w- c:\windows\system32\HS_live.ocx
2011-01-05 04:38 . 2011-01-05 04:39 98136 ----a-w- c:\windows\gzip.exe
2010-12-20 22:09 . 2009-05-31 07:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 22:08 . 2009-05-31 07:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 23:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2009-12-30 523408]
"AIM"="c:\program files\AIM\aim.exe" [2004-06-07 61440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-05-29 1232896]
"Google Update"="c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-23 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-09-07 2039240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-01-07 105632]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 gupdate1ca08a1186aedbc;Google Update Service (gupdate1ca08a1186aedbc);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 133104]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2006-11-02 22016]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-09-07 224240]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-09-07 30112]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2006-11-02 22016]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2008-10-16 464264]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-02-23 53592]
S2 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-04-04 30152]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-02-11 114952]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2010-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore(1882).job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 18:44]
.
2010-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA(1883).job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 18:44]
.
2011-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-717310467-2134114534-2975817673-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-18 03:00]
.
2011-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-717310467-2134114534-2975817673-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-18 03:00]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\zw72x8co.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Corel File Shell Monitor - c:\program files\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-17 18:52
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\guard32.dll
.
Completion time: 2011-03-17 18:56:37
ComboFix-quarantined-files.txt 2011-03-17 22:56
.
Pre-Run: 72,668,479,488 bytes free
Post-Run: 75,140,534,272 bytes free
.
- - End Of File - - 1AB2B517EAA14522BC80F0C024FA7C21
 
Did I do that last scan correct?

Combofix opened as a blue screen and started scanning.

when done I accidently closed the combofix.txt out, and when I went to click on it on my start menu to pull it up again it kept saying the file was in que for deletion or something of that sort, as well as all the other programs on the start menu...firefox, mspaint ect.

I restarted the PC and now everything is working fine.

had to manually get that scnan log by going to run>c:\combofix.txt
 
No- why would you want to do that I'm helping a lot of members and just hadn't gotten back to you yet.

First, you are loading processes for 3 antivirus programs:
Avast
Comodo (Internet Security)
McAfee
I also noted a ZoneAlarm Toolbar.
Please remove two of them. Reboot the computer when done.
Click to expand...
You are still running processes for Avast, McAfee and Comodo. . Please uninstall all but 1. program. Reboot when finished.
=====================================
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Files  
C:\Program Files\AIM\Sysfiles\WxBug.EXE
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==============================================
Please unbinstall the Weather program you have.
===========================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
c:\program files\Viewpoint\Common\ViewpointService.exe 
c:\program files\AskBarDis\bar\bin\AskService.exe
Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
Driver::
Viewpoint Service;Viewpoint Service
ASKService;ASKService
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Please go to Add/Remove programs and uninstall anything with Ask and Viewpoint in the name. Then use Windows Explorer to find the program folder for each and do a right click> Delete on it.
========================
Please run this Security Check:

Download Security Check by screen317 from HERE or HERE .
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
 
Sorry bout that man.

Just did everything you said. I deleted all but Avast, but I though I was able to run Comodo firewall with avast?

Anyways, here are the logs:


All processes killed
========== FILES ==========
File/Folder C:\Program Files\AIM\Sysfiles\WxBug.EXE not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: User
->Temp folder emptied: 1904623 bytes
->Temporary Internet Files folder emptied: 803360 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 20835567 bytes
->Google Chrome cache emptied: 400500472 bytes
->Flash cache emptied: 1646 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 5016 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 25682 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 404.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 03202011_004632

Files moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...



-----------------------------

ComboFix 11-03-16.06 - User 03/20/2011 1:08.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1013.257 [GMT -4:00]
Running from: c:\users\User\Downloads\ComboFix.exe
Command switches used :: c:\users\User\Downloads\CFScript.txt
.
FILE ::
"c:\program files\AskBarDis\bar\bin\AskService.exe"
"c:\program files\Viewpoint\Common\ViewpointService.exe"
.
.
((((((((((((((((((((((((( Files Created from 2011-02-20 to 2011-03-20 )))))))))))))))))))))))))))))))
.
.
2011-03-20 05:17 . 2011-03-20 05:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-20 04:56 . 2011-03-20 04:56 5016 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-03-20 04:33 . 2011-03-20 04:33 -------- d-----w- C:\_OTM
2011-03-17 22:56 . 2011-03-20 05:18 -------- d-----w- c:\users\User\AppData\Local\temp
2011-03-16 19:30 . 2011-03-16 19:30 -------- d-----w- c:\program files\ESET
2011-03-15 02:08 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-19 03:43 . 2010-02-16 20:19 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2011-03-19 03:43 . 2010-02-16 20:19 88 --sh--r- c:\programdata\813C01CEED.sys
2011-02-23 14:04 . 2010-09-02 16:29 40648 ----a-w- c:\windows\avastSS.scr
2011-02-23 14:04 . 2010-09-02 16:29 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-23 13:56 . 2010-09-02 16:30 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-23 13:55 . 2010-09-02 16:30 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-23 13:55 . 2010-09-02 16:30 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-23 13:55 . 2010-09-02 16:30 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-02-23 13:54 . 2010-09-02 16:30 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-01-05 04:40 . 2011-01-05 04:51 36864 ----a-w- C:\nphssb.dll
2011-01-05 04:39 . 2011-01-05 04:51 184320 ----a-w- c:\windows\system32\OESICore.dll
2011-01-05 04:39 . 2011-01-05 04:51 45056 ----a-w- c:\windows\system32\HSSICore.dll
2011-01-05 04:39 . 2011-01-05 04:51 40960 ----a-w- c:\windows\system32\HS_live.ocx
2011-01-05 04:38 . 2011-01-05 04:39 98136 ----a-w- c:\windows\gzip.exe
2010-12-20 22:09 . 2009-05-31 07:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 22:08 . 2009-05-31 07:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2009-12-30 523408]
"AIM"="c:\program files\AIM\aim.exe" [2004-06-07 61440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-05-29 1232896]
"Google Update"="c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-23 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-01-07 105632]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 gupdate1ca08a1186aedbc;Google Update Service (gupdate1ca08a1186aedbc);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 133104]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [x]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2006-11-02 22016]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2006-11-02 22016]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-02-23 53592]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-02-11 114952]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2010-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore(1882).job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 18:44]
.
2010-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA(1883).job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 18:44]
.
2011-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-717310467-2134114534-2975817673-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-18 03:00]
.
2011-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-717310467-2134114534-2975817673-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-18 03:00]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\zw72x8co.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\AskBarDis\bar\bin\askBar.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-20 01:17
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-20 01:21:27
ComboFix-quarantined-files.txt 2011-03-20 05:21
ComboFix2.txt 2011-03-17 22:56
.
Pre-Run: 77,021,835,264 bytes free
Post-Run: 77,002,362,880 bytes free
.
- - End Of File - - 227B98CED71C565369FE8F5C0BC445D9


------------------------


Results of screen317's Security Check version 0.99.9
Windows Vista (UAC is enabled)
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Free Antivirus
ESET Online Scanner v3
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner (remove only)
Java(TM) 6 Update 21
Out of date Java installed!
Adobe Flash Player 10.1.102.64
Adobe Reader 9.3
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
User AppData Local Google\Chrome\Application\AvastSvc.exe -?-
Alwil Software Avast5 AvastUI.exe
``````````End of Log````````````
 
Just a note from OTM: Total Files Cleaned = 404.00 mb That is a lot of files and may indicate you're not doing regular maintenance on the machine.

but I though I was able to run Comodo firewall with avast?
Click to expand...
You can. But it appeared that you were running the Comodo Security Suite which also contains an AV program. Just get it down to Firewall only.
1. But if you run the Comodo firewall, you should disable that Windows Firewall Enabled!
====================================
Outdated programs that are vulnerabilities to the system. Please update to current versions, then uninstall old versions (Java v6u21) (Adobe Reader v9.3) in Add/Remove Programs:
Java(TM) 6 Update 21> current is v6u24: Check this site- Java Updates
Adobe Reader > current is v10(X)> Check this site- Adobe Reader
Vista Service Pack> current is SP2> Check Here Microsoft Download Site
=====================================
There is a file I can't identify:
Please go to VirSCAN.org FREE on-line scan service:
If busy, you can use one of the following: ( you only need one)
VirusTotal
Jotti

  • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

    Code: 
    c:\programdata\813C01CEED.sys
    [2]. At the upload site, click once inside the window next to Browse.
    [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
    [4]. Click on the Upload button.
    This will perform a scan across multiple different virus scanning engines.
    Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    Important: Wait for all of the scanning engines to complete.
    [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
    [6]. Paste the contents of the Clipboard in your next reply.
=========================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe
DDS::
c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=- 
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Driver::
McComponentHostService
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
If the file you sent off comes back clean you'll be finished. So final word comes after that.
 
Alright cool.
Updated everything and deleted old versions, except for SP2. It kept saying it was unable to install the updates, gonna mess with it more tonight.

Here are the logs though.




VirSCAN.org Scanned Report :
Scanned time : 2011/03/22 12:59:41 (EDT)
Scanner results: Scanners did not find malware!
File Name : 813C01CEED.sys
File Size : 88 byte
File Type : X11 SNF font data, LSB first
MD5 : cd64ab16a650d7c7e7708f5e11074806
SHA1 : 96f3f7844e8ec94d49717a74b502086680e726c5
Online report : http://virscan.org/report/ba355159e0a6e0a7f6a5f3dfd0197dfc.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.2 20110322060919 2011-03-22 0.09 -
AhnLab V3 2011.03.23.00 2011.03.23 2011-03-23 0.08 -
AntiVir 8.2.4.188 7.11.5.27 2011-03-22 0.28 -
Antiy 2.0.18 20110205.7694535 2011-02-05 0.12 -
Arcavir 2010 201103222345 2011-03-22 0.03 -
Authentium 5.1.1 201103220040 2011-03-22 2.55 -
AVAST! 4.7.4 110322-0 2011-03-22 0.00 -
AVG 8.5.850 271.1.1/3516 2011-03-19 0.24 -
BitDefender 7.90123.6945317 7.36725 2011-03-23 6.38 -
ClamAV 0.96.5 12875 2011-03-22 0.02 -
Comodo 4.0 8064 2011-03-22 0.08 -
CP Secure 1.3.0.5 2011.03.22 2011-03-22 0.01 -
Dr.Web 5.0.2.3300 2011.03.22 2011-03-22 11.03 -
F-Prot 4.4.4.56 20110322 2011-03-22 1.43 -
F-Secure 7.02.73807 2011.03.22.01 2011-03-22 12.22 -
Fortinet 4.2.254 13.25 2011-03-21 0.08 -
GData 21.2102/21.763 20110322 2011-03-22 0.09 -
ViRobot 20110322 2011.03.22 2011-03-22 0.08 -
Ikarus T3.1.32.20.0 2011.03.22.77993 2011-03-22 4.75 -
JiangMin 13.0.900 2011.03.22 2011-03-22 0.08 -
Kaspersky 5.5.10 2011.03.22 2011-03-22 0.03 -
KingSoft 2009.2.5.15 2011.3.22.18 2011-03-22 0.08 -
McAfee 5400.1158 6292 2011-03-21 8.02 -
Microsoft 1.6603 2011.03.22 2011-03-22 0.08 -
NOD32 3.0.21 5972 2011-03-21 0.01 -
Norman 6.07.03 6.07.00 2011-03-20 16.02 -
Panda 9.05.01 2011.03.21 2011-03-21 0.08 -
Trend Micro 9.200-1012 7.918.09 2011-03-22 0.02 -
Quick Heal 11.00 2011.03.22 2011-03-22 0.08 -
Rising 20.0 23.50.01.06 2011-03-22 0.08 -
Sophos 3.16.1 4.62 2011-03-22 3.08 -
Sunbelt 3.9.2483.2 8780 2011-03-22 0.08 -
Symantec 1.3.0.24 20110321.002 2011-03-21 0.29 -
nProtect 20110322.01 3270065 2011-03-22 0.09 -
The Hacker 6.7.0.1 v00154 2011-03-21 0.08 -
VBA32 3.12.14.3 20110321.1214 2011-03-21 3.60 -
VirusBuster 5.2.0.28 13.6.263.0/48234942011-03-22 0.00 -




------------------------------------------------------------------------


ComboFix 11-03-16.06 - User 03/22/2011 17:01:39.4.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1013.398 [GMT -4:00]
Running from: c:\users\User\Downloads\ComboFix.exe
Command switches used :: c:\users\User\Downloads\CFScript.txt
.
FILE ::
"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_McComponentHostService
.
.
((((((((((((((((((((((((( Files Created from 2011-02-22 to 2011-03-22 )))))))))))))))))))))))))))))))
.
.
2011-03-22 21:11 . 2011-03-22 21:11 -------- d-----w- c:\users\User\AppData\Local\temp
2011-03-22 21:11 . 2011-03-22 21:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-22 18:35 . 2011-03-22 18:35 -------- d-----w- c:\program files\Common Files\Java
2011-03-20 04:56 . 2011-03-22 20:08 5016 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-03-20 04:33 . 2011-03-20 04:33 -------- d-----w- C:\_OTM
2011-03-16 19:30 . 2011-03-16 19:30 -------- d-----w- c:\program files\ESET
2011-03-15 02:08 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-19 03:43 . 2010-02-16 20:19 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2011-03-19 03:43 . 2010-02-16 20:19 88 --sh--r- c:\programdata\813C01CEED.sys
2011-02-23 14:04 . 2010-09-02 16:29 40648 ----a-w- c:\windows\avastSS.scr
2011-02-23 14:04 . 2010-09-02 16:29 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-23 13:56 . 2010-09-02 16:30 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-23 13:55 . 2010-09-02 16:30 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-23 13:55 . 2010-09-02 16:30 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-23 13:55 . 2010-09-02 16:30 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-02-23 13:54 . 2010-09-02 16:30 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-03 01:40 . 2010-08-18 16:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-05 04:40 . 2011-01-05 04:51 36864 ----a-w- C:\nphssb.dll
2011-01-05 04:39 . 2011-01-05 04:51 184320 ----a-w- c:\windows\system32\OESICore.dll
2011-01-05 04:39 . 2011-01-05 04:51 45056 ----a-w- c:\windows\system32\HSSICore.dll
2011-01-05 04:39 . 2011-01-05 04:51 40960 ----a-w- c:\windows\system32\HS_live.ocx
2011-01-05 04:38 . 2011-01-05 04:39 98136 ----a-w- c:\windows\gzip.exe
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2009-12-30 523408]
"AIM"="c:\program files\AIM\aim.exe" [2004-06-07 61440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-05-29 1232896]
"Google Update"="c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-23 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-01-07 105632]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 gupdate1ca08a1186aedbc;Google Update Service (gupdate1ca08a1186aedbc);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 133104]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2006-11-02 22016]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2006-11-02 22016]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-02-23 53592]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-02-11 114952]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2010-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore(1882).job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 18:44]
.
2010-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA(1883).job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 18:44]
.
2011-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-717310467-2134114534-2975817673-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-18 03:00]
.
2011-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-717310467-2134114534-2975817673-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-18 03:00]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\zw72x8co.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: KeyScrambler: keyscrambler@qfx.software.corporation - %profile%\extensions\keyscrambler@qfx.software.corporation
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Autofill Forms: autofillForms@blueimp.net - %profile%\extensions\autofillForms@blueimp.net
FF - Ext: SkipScreen: SkipScreen@SkipScreen - %profile%\extensions\SkipScreen@SkipScreen
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: SEO For Firefox: seo4firefox@seobook.com - %profile%\extensions\seo4firefox@seobook.com
FF - Ext: ChaCha Guide App Toolbar: chachaguidebar@chacha.com - %profile%\extensions\chachaguidebar@chacha.com
FF - Ext: Ant Video Downloader: anttoolbar@ant.com - %profile%\extensions\anttoolbar@ant.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 17:11
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-22 17:14:31
ComboFix-quarantined-files.txt 2011-03-22 21:14
ComboFix2.txt 2011-03-20 05:21
ComboFix3.txt 2011-03-17 22:56
.
Pre-Run: 92,475,088,896 bytes free
Post-Run: 92,453,396,480 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - DFE82BBC94D0D11F8B863585C171AD83
 
Looking good! Any sign of the previous problem? If not:

Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
==================================
Make sure you do the updates. You need to open Firefox extensions and remove these outdated versions:
Java v6u13
Java v6u21
Javav6u24>>>> Although this s the current version, you do not need to add an extension to update Java in Firefox. This can actually cause a problem with Firefox running. The update you get for the system .

Remember- any outdated Java or Adobe Reader are security vulnerabilities.
==========================================
Tips for added security and safer browsing:


  1. Antispyware: I recommend all of the following:
    • Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • Download ZonedOut and save to your desktop. This manages the Zones in Internet Explorer. It over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • Replace the Host Files
      MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.
    • The Site Advisor Web of Trust (WOT) add-on is a . Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.
  2. Reset Cookies to prevent Tracking Cookies:
    [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
    [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List
  3. Do regular Maintenance
    Remove Temporary Internet Files regularly:
    [o]ATF Cleaner by Atribune
    OR
    [o]TFC
    Disable and Enable System Restore:
    [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
  4. Practice Safe Email Handling
    [o] Don't open email from anyone you don't know.
    [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
    [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
Let me know if you have any more questions.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
793
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back