Skip to main content

kevinf80_1d0ac6

1.1K Posts

October 6th, 2010 13:00

Hello freezeman12 and welcome.

I'm kevinf80 and I will be helping with any malware issues you may have with your system.
  • Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
  • Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
  • Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
  • Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
  • If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
  • If you have any P2P applications installed such as , BitTorrent, uTorrent or Limewire etc etc. Please remove them before we start.
  • If you have any cracked or illegal software in use the thread will locked and all help will cease.


As follows please :-

Step 1

Please re-open HiJackThis and scan only.  Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092

Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.  Reboot

Step 2

Download and scan with CCleaner

1. Starting with v 1.27.26 (This version no. will differ), CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK " Only delete files in Windows Temp folder older than 24 hours"
3. Then select the items you wish to clean up.

In the Windows Tab:

  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.



In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.


4. Click the " Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click " OK" and it will scan and clean your system.
7. Click " exit" when done.

Step 3

user posted image Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.


Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Step 4

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

What i`d like in your reply :-

  • Log from Malwarebytes
  • Log from Security Checks
  • Fresh HJT log
  • System review, improvements? issues?


Kevin

freezeman12

14 Posts

October 6th, 2010 20:00

Hello Kevin,

Sorry I was looking a the current replies to the threads in the malware removal forum and I saw that you responded to most of them so I gave you a message. Thanks for taking your time to help me.

Here is my malwarebytes log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4762

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

10/6/2010 9:34:36 PM
mbam-log-2010-10-06 (21-34-36).txt

Scan type: Quick scan
Objects scanned: 133149
Time elapsed: 5 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

Here is my Security Checks Log:

Results of screen317's Security Check version 0.99.5 
 Windows Vista Service Pack 2 (UAC is enabled)
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 avast! Free Antivirus   
 WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 CCleaner    
 Java(TM) 6 Update 21 
 Java(TM) 6 Update 5 
 Out of date Java installed!
 Adobe Flash Player 10.1.85.3 
Adobe Reader 8.2.0
Out of date Adobe Reader installed!
 Mozilla Firefox (3.6.10) Firefox Out of Date! 
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Windows Defender MSASCui.exe
 Spybot Teatimer.exe is disabled!
 Windows Defender MSASCui.exe  
 Alwil Software Avast5 AvastSvc.exe 
 Alwil Software Avast5 AvastUI.exe 
````````````````````````````````
DNS Vulnerability Check:
 GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

 

Here is my fresh HJT Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:46:29 PM, on 10/6/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Elliot\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7606 bytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I am still getting a code 80072efe error when I try to get my windows updates. I also get a virus warning from my avast anti virus program when I open my firefox browser. Finally, I get a message saying that my host process has been stopped.

 

kevinf80_1d0ac6

1.1K Posts

October 6th, 2010 23:00

Hiya frezeman12,

Its OK about the the PM, I dont like to take too many threads on together, logs can be complex and take a considerable length of time to research. I only help out here when the site is busy, its not my home site. Helpers are a bit thin on the ground, thats why i`ve taken on more than usual....

Please proceed as follows please :-

Step 1

Please download OTM

  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    -------------------------------------------------------------------------------------------------------------------
    :Processes

    :Files
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]
    --------------------------------------------------------------------------------------------------------------------
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.


Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 2

Run ESET Online Scan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.ESET OnlineScan
  • Click the user posted image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

 

  • Click on user posted image to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the user posted image icon on your desktop.

 

  • Check user posted image
  • Click the user posted image button.
  • Accept any security warnings from your browser.
  • Check user posted image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push user posted image
  • Push user posted image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the user posted image button.
  • Push user posted image


You can refer to this animation by neomage if needed.
Frequently asked questions available Here

Step 3

Please download VEW by Vino Rosso from HERE and save it to your Desktop.

  • Double-click VEW.exe. to start, Vista and Windows 7 users Right Click and select "Run as Administrator"
  • Under 'Select log to query...check the boxes for both Application and System.
  • Under 'Select type to list... select both Error and Critical.
  • Click the radio button for 'Number of events...Type 10 in the 1 to 20 box.
  • Then click the Run button.
  • Notepad will open with the output log. It will take a couple of minutes to generate the log, please be patient.



Please post the Output log in your next reply.

What i`d like in reply :

  • Log from OTM
  • Log from ESET
  • Log from VEW
  • System review, improvements? issues?



Kevin

freezeman12

14 Posts

October 7th, 2010 08:00

Log from OTM:

All processes killed
========== PROCESSES ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Elliot\Downloads\cmd.bat deleted successfully.
C:\Users\Elliot\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
HOSTS file reset successfully
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56504 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Elliot
->Temp folder emptied: 378547 bytes
->Temporary Internet Files folder emptied: 89539 bytes
->Java cache emptied: 9259323 bytes
->FireFox cache emptied: 98197092 bytes
->Flash cache emptied: 4339 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 4325141 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 1095491 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 108.00 mb
 
Error creating restore point.
 
OTM by OldTimer - Version 3.1.16.1 log created on 10072010_013921

Files moved on Reboot...
File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

 

Log from ESETScan:

C:\Windows.old\ProgramData\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip    Win32/Bagle.gen.zip worm    cleaned by deleting - quarantined
C:\Windows.old\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgp1.zip    Win32/Bagle.gen.zip worm    cleaned by deleting - quarantined
C:\Windows.old\Users\Elliot Wasser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\591ffc59-5545f3b3    a variant of Java/TrojanDownloader.Agent.NAN trojan    deleted - quarantined
C:\Windows.old\Users\Elliot Wasser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\40591084-4fb026c0    probably a variant of Win32/Agent.HRYTTOE trojan    deleted - quarantined
C:\Windows.old\Users\Elliot Wasser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\640c67b5-7fe9a62e    probably a variant of Win32/Agent.FPEXZHL trojan    deleted - quarantined
C:\Windows.old\Users\Elliot Wasser\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3f5641c8-14ad839f    multiple threats    deleted - quarantined
C:\Windows.old\Users\Elliot Wasser\AppData\Roaming\scdata\wispex.html    Win32/Adware.WinAntiVirus application    cleaned by deleting - quarantined
C:\Windows.old\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\JnteZcorv10.exeZxHffff3d5cV03003f36002Rf183b3a4108Tb3e9a6bcQ000002fa901801F002d000aJ12000601l0409325    probably a variant of Win32/Agent.DSFIQXJ trojan    deleted - quarantined

Log from VEW:

Vino's Event Viewer v01c run on Windows Vista in English
Report run at 07/10/2010 10:18:17 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 07/10/2010 2:11:50 PM
Type: Error Category: 0
Event: 8210 Source: System Restore
The scheduled restore point could not be created.  Additional information: (0x800423f4).

Log: 'Application' Date/Time: 07/10/2010 2:11:50 PM
Type: Error Category: 0
Event: 8193 Source: System Restore
Failed to create restore point on volume (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Descripton = Scheduled Checkpoint; Hr = 0x800423f4).

Log: 'Application' Date/Time: 07/10/2010 2:11:50 PM
Type: Error Category: 0
Event: 16387 Source: SPP
Shadow copy creation failed because of error reported by ASR Writer.  More info: The parameter is incorrect. (0x80070057).

Log: 'Application' Date/Time: 07/10/2010 2:11:20 PM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program iexplore.exe version 8.0.6001.18943 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel. Process ID: 139c Start Time: 01cb66296e1690c0 Termination Time: 16

Log: 'Application' Date/Time: 07/10/2010 8:28:41 AM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 07/10/2010 8:27:47 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x47918b89, faulting module ntdll.dll, version 6.0.6002.18005, time stamp 0x49e03821, exception code 0xc0000005, fault offset 0x0004714e, process id 0x4c8, application start time 0x01cb65e242499d7f.

Log: 'Application' Date/Time: 07/10/2010 5:41:38 AM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 07/10/2010 5:39:57 AM
Type: Error Category: 0
Event: 8193 Source: System Restore
Failed to create restore point on volume (Process = C:\Windows\system32\wbem\wmiprvse.exe; Descripton = OTM Restore Point; Hr = 0x800423f4).

Log: 'Application' Date/Time: 07/10/2010 5:39:57 AM
Type: Error Category: 0
Event: 16387 Source: SPP
Shadow copy creation failed because of error reported by ASR Writer.  More info: The parameter is incorrect. (0x80070057).

Log: 'Application' Date/Time: 07/10/2010 5:23:05 AM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 19/09/2010 10:13:07 PM
Type: Critical Category: 0
Event: 41 Source: Microsoft-Windows-Kernel-Power
The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 07/10/2010 2:10:09 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The BCM42RLY service failed to start due to the following error:  The system cannot find the file specified.

Log: 'System' Date/Time: 07/10/2010 2:10:08 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The BCM42RLY service failed to start due to the following error:  The system cannot find the file specified.

Log: 'System' Date/Time: 07/10/2010 2:10:07 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The BCM42RLY service failed to start due to the following error:  The system cannot find the file specified.

Log: 'System' Date/Time: 07/10/2010 2:10:07 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The BCM42RLY service failed to start due to the following error:  The system cannot find the file specified.

Log: 'System' Date/Time: 07/10/2010 2:10:06 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The BCM42RLY service failed to start due to the following error:  The system cannot find the file specified.

Log: 'System' Date/Time: 07/10/2010 2:10:06 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The BCM42RLY service failed to start due to the following error:  The system cannot find the file specified.

Log: 'System' Date/Time: 07/10/2010 2:10:05 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The BCM42RLY service failed to start due to the following error:  The system cannot find the file specified.

Log: 'System' Date/Time: 07/10/2010 8:29:57 AM
Type: Error Category: 0
Event: 7032 Source: Service Control Manager
The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:  An instance of the service is already running.

Log: 'System' Date/Time: 07/10/2010 5:41:59 AM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The BCM42RLY service failed to start due to the following error:  The system cannot find the file specified.

Log: 'System' Date/Time: 07/10/2010 5:41:59 AM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The BCM42RLY service failed to start due to the following error:  The system cannot find the file specified.

I am still getting the code 80072efe error and the host process stopping message. I am not seeing the message from avast anymore when I open my mozilla firefox browser.

kevinf80_1d0ac6

1.1K Posts

October 7th, 2010 11:00

Hiya freezeman12,

Proceed as follows please :-

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

Combofix

Don`t forget Combofix must be saved to your desktop. <--Very important

Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

Please include the C:\ComboFix.txt in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

Disable realtime protection


Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)


Post Combofix log in reply please,

Kevin

freezeman12

14 Posts

October 7th, 2010 15:00

Ok, I tried to get my windows updates again and I got different errors. I now have code 8024200D and code 646.

freezeman12

14 Posts

October 7th, 2010 15:00

ComboFix 10-10-07.01 - Elliot 10/07/2010  16:59:40.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3061.1907 [GMT -4:00]
Running from: c:\users\Elliot\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Launcher.exe

Infected copy of c:\windows\system32\DRIVERS\RDPCDD.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
(((((((((((((((((((((((((   Files Created from 2010-09-07 to 2010-10-07  )))))))))))))))))))))))))))))))
.

2010-10-07 21:07 . 2010-10-07 21:09    --------    d-----w-    c:\users\Elliot\AppData\Local\temp
2010-10-07 21:07 . 2010-10-07 21:07    --------    d-----w-    c:\users\Default\AppData\Local\temp
2010-10-07 05:52 . 2010-10-07 05:52    --------    d-----w-    c:\program files\ESET
2010-10-07 05:39 . 2010-10-07 05:39    --------    d-----w-    C:\_OTM
2010-10-07 01:26 . 2010-04-29 19:39    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-07 01:26 . 2010-04-29 19:39    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-10-06 23:00 . 2010-10-06 23:00    --------    d-----w-    c:\program files\CCleaner
2010-10-04 22:20 . 2010-10-04 22:20    --------    d-----w-    c:\users\Elliot\AppData\Roaming\Malwarebytes
2010-10-04 22:20 . 2010-10-04 22:20    --------    d-----w-    c:\programdata\Malwarebytes
2010-10-04 22:20 . 2010-10-07 01:26    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-10-04 22:16 . 2010-10-04 22:18    --------    d-----w-    c:\windows\system32\catroot2
2010-10-04 03:58 . 2010-10-04 03:59    --------    d-----w-    c:\programdata\PopCap Games
2010-10-04 02:25 . 2010-09-07 14:52    46672    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2010-10-04 02:25 . 2010-09-07 14:52    165584    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2010-10-04 02:25 . 2010-09-07 14:47    23376    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2010-10-04 02:25 . 2010-09-07 14:47    50768    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2010-10-04 02:25 . 2010-09-07 14:47    17744    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2010-10-04 02:25 . 2010-09-07 15:12    38848    ----a-w-    c:\windows\avastSS.scr
2010-10-04 02:25 . 2010-09-07 15:11    167592    ----a-w-    c:\windows\system32\aswBoot.exe
2010-10-04 00:58 . 2010-10-04 00:58    --------    d-sh--w-    c:\windows\system32\%APPDATA%
2010-09-30 23:48 . 2010-09-30 23:49    --------    d-----w-    c:\users\Elliot\AppData\Roaming\vlc
2010-09-20 02:23 . 2010-09-24 06:51    --------    d-----w-    c:\programdata\SecTaskMan
2010-09-18 06:04 . 2010-09-18 06:07    --------    d-----w-    c:\users\Elliot\AppData\Roaming\DivX
2010-09-18 06:02 . 2010-09-18 06:05    --------    d-----w-    c:\program files\DivX
2010-09-18 06:02 . 2010-09-18 06:05    --------    d-----w-    c:\programdata\DivX
2010-09-12 19:48 . 2010-09-12 20:12    --------    d-----w-    c:\users\Elliot\AppData\Local\Graboid
2010-09-12 19:48 . 2010-09-12 19:49    --------    d-----w-    c:\users\Elliot\AppData\Roaming\MozillaControl
2010-09-12 19:47 . 2010-09-12 19:47    --------    d-----w-    c:\program files\VideoLAN
2010-09-12 19:46 . 2010-09-20 01:43    --------    d-----w-    c:\program files\Graboid

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 14:29 . 2010-08-20 02:35    46    ----a-w-    c:\users\Elliot\jagex_runescape_preferences.dat
2010-10-07 14:29 . 2010-08-20 02:38    99    ----a-w-    c:\users\Elliot\jagex_runescape_preferences2.dat
2010-10-06 23:11 . 2010-08-20 02:03    --------    d-----w-    c:\programdata\Spybot - Search & Destroy
2010-10-05 00:32 . 2010-09-01 02:37    372736    ----a-w-    c:\programdata\Dell\DSL\DSLCheck.exe
2010-10-04 02:25 . 2010-08-20 01:56    --------    d-----w-    c:\programdata\Alwil Software
2010-10-04 01:47 . 2010-08-20 02:03    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2010-10-04 00:21 . 2010-09-04 07:20    --------    d-----w-    c:\program files\Windows Portable Devices
2010-10-04 00:19 . 2010-08-20 04:04    --------    d-----w-    c:\programdata\Microsoft Help
2010-10-04 00:19 . 2010-08-20 03:28    --------    d-----w-    c:\programdata\Dell
2010-10-04 00:19 . 2010-08-20 02:34    --------    d-----w-    c:\programdata\Yahoo! Companion
2010-10-04 00:19 . 2010-08-20 02:31    --------    d-----w-    c:\program files\Yahoo!
2010-10-04 00:19 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Sidebar
2010-10-04 00:18 . 2006-11-02 11:18    --------    d-----w-    c:\program files\Windows Mail
2010-09-24 10:23 . 2010-08-20 02:34    --------    d-----w-    c:\programdata\Yahoo! Companion(553)
2010-09-22 05:53 . 2010-08-20 01:42    1356    ----a-w-    c:\users\Elliot\AppData\Local\d3d9caps.dat
2010-09-04 07:19 . 2006-11-02 10:25    86016    ----a-w-    c:\windows\Inf\infstrng.dat
2010-09-04 07:19 . 2006-11-02 10:25    86016    ----a-w-    c:\windows\Inf\infstor.dat
2010-09-04 07:19 . 2006-11-02 10:25    665600    ----a-w-    c:\windows\Inf\drvindex.dat
2010-09-04 07:19 . 2006-11-02 10:25    51200    ----a-w-    c:\windows\Inf\infpub.dat
2010-09-04 07:19 . 2010-09-04 07:19    0    ---ha-w-    c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-09-04 02:36 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Photo Gallery
2010-09-04 02:36 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Journal
2010-09-04 02:36 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Collaboration
2010-09-04 02:36 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Calendar
2010-09-04 02:36 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Defender
2010-08-23 04:15 . 2010-08-23 00:53    --------    d-----w-    c:\programdata\Norton
2010-08-23 00:53 . 2010-08-23 00:53    --------    d-----w-    c:\programdata\Symantec
2010-08-23 00:53 . 2010-08-23 00:53    --------    d-----w-    c:\programdata\NortonInstaller
2010-08-21 00:46 . 2010-08-21 00:45    --------    d-----w-    c:\program files\Common Files\Adobe
2010-08-20 23:37 . 2010-08-20 23:37    --------    d-----w-    c:\program files\Common Files\Adobe AIR
2010-08-20 23:07 . 2010-08-20 04:10    --------    d-----w-    c:\program files\Microsoft.NET
2010-08-20 23:03 . 2010-08-20 01:42    59464    ----a-w-    c:\users\Elliot\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-20 23:02 . 2010-08-20 23:02    --------    d-----w-    c:\programdata\Office Genuine Advantage
2010-08-20 22:11 . 2010-08-20 04:10    --------    d-----w-    c:\program files\Microsoft Works
2010-08-20 03:55 . 2010-08-20 03:55    --------    d-----w-    c:\program files\CyberLink
2010-08-20 03:55 . 2010-08-20 03:55    --------    d-----w-    c:\programdata\CyberLink
2010-08-20 03:55 . 2010-08-20 01:56    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-08-20 03:55 . 2010-08-20 01:52    --------    d-----w-    c:\program files\Dell
2010-08-20 03:48 . 2010-08-20 03:48    76    --sh--r-    c:\windows\CT4CET.bin
2010-08-20 03:48 . 2010-08-20 03:46    --------    d-----w-    c:\program files\Creative
2010-08-20 03:48 . 2010-08-20 03:48    --------    d-----w-    c:\program files\Common Files\Reallusion
2010-08-20 03:47 . 2010-08-20 03:47    --------    d-----w-    c:\program files\Creative Live! Cam
2010-08-20 03:34 . 2010-08-20 03:34    --------    d-----w-    c:\program files\Common Files\Java
2010-08-20 03:31 . 2010-08-20 03:31    --------    d-----w-    c:\program files\Modem Diagnostic Tool
2010-08-20 03:29 . 2010-08-20 03:29    69120    ----a-w-    c:\programdata\SupportSoft\DellSupportCenter\_default\data\f9cd5860-4b46-43fa-aa04-46ba9e956204\7e7d3c88-958b-4607-85a7-8c1cc5188887.1\NOTEPAD.EXE
2010-08-20 03:29 . 2010-08-20 03:29    --------    d-----w-    c:\programdata\SupportSoft
2010-08-20 03:29 . 2010-08-20 03:28    --------    d-----w-    c:\program files\Dell Support Center
2010-08-20 03:28 . 2010-08-20 03:28    --------    d-----w-    c:\program files\Common Files\supportsoft
2010-08-20 03:21 . 2010-08-20 02:04    --------    d-----w-    c:\program files\Intel
2010-08-20 03:17 . 2010-08-20 03:17    --------    d-----w-    c:\program files\Marvell
2010-08-20 03:16 . 2010-08-20 01:56    --------    d-----w-    c:\program files\Common Files\InstallShield
2010-08-20 03:16 . 2010-08-20 03:16    --------    d-----w-    c:\users\Elliot\AppData\Roaming\TMP
2010-08-20 03:09 . 2010-08-20 03:09    --------    d-----w-    c:\program files\Cisco
2010-08-20 03:07 . 2010-08-20 03:07    --------    d-----w-    c:\users\Elliot\AppData\Roaming\InstallShield
2010-08-20 03:05 . 2010-08-20 03:05    0    ---ha-w-    c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2010-08-20 03:05 . 2010-08-20 03:05    --------    d-----w-    c:\program files\DellTPad
2010-08-20 02:38 . 2010-08-20 02:38    0    ----a-w-    c:\users\Elliot\jagex__preferences3.dat
2010-08-20 02:34 . 2010-08-20 02:34    --------    d-----w-    c:\users\Elliot\AppData\Roaming\Yahoo!
2010-08-20 02:34 . 2010-08-20 02:33    --------    d-----w-    c:\programdata\Yahoo!
2010-08-20 02:33 . 2010-08-20 02:33    423656    ----a-w-    c:\windows\system32\deployJava1.dll
2010-08-20 02:32 . 2010-08-20 03:34    --------    d-----w-    c:\program files\Java
2010-08-20 02:10 . 2010-08-20 02:10    --------    d-----w-    c:\program files\CONEXANT
2010-08-20 01:56 . 2010-08-20 01:56    --------    d-----w-    c:\program files\Alwil Software
2010-08-20 01:56 . 2010-08-20 01:56    --------    d-----w-    c:\program files\SigmaTel
2010-08-20 01:52 . 2010-08-20 01:52    45056    ----a-r-    c:\users\Elliot\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2010-08-20 01:52 . 2010-08-20 01:52    10134    ----a-r-    c:\users\Elliot\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\ARPPRODUCTICON.exe
2010-08-20 01:39 . 2006-11-02 13:02    1356    ----a-w-    c:\windows\system32\config\systemprofile\AppData\Local\d3d9caps.dat
2010-08-20 01:39 . 2010-08-20 01:39    48600    ----a-w-    c:\windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-20 01:21 . 2010-08-20 01:21    0    ---ha-w-    c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-08-06 03:19 . 2010-08-27 15:19    52224    ----a-w-    c:\users\Elliot\AppData\Roaming\Mozilla\Firefox\Profiles\035p0pjf.default\extensions\{a8864317-e18b-4292-99d9-e6e65ab905d3}\components\FFExternalAlert.dll
2010-08-06 03:19 . 2010-08-27 15:19    101376    ----a-w-    c:\users\Elliot\AppData\Roaming\Mozilla\Firefox\Profiles\035p0pjf.default\extensions\{a8864317-e18b-4292-99d9-e6e65ab905d3}\components\RadioWMPCore.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-10-25 167936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 133656]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-05-20 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 aswSP;aswSP;
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]
S2 aswFsBlk;aswFsBlk;
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-07 111616]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Elliot\AppData\Roaming\Mozilla\Firefox\Profiles\035p0pjf.default\
FF - prefs.js: browser.startup.homepage - msn.com
FF - prefs.js: network.proxy.type - 0
FF - component: c:\users\Elliot\AppData\Roaming\Mozilla\Firefox\Profiles\035p0pjf.default\extensions\{a8864317-e18b-4292-99d9-e6e65ab905d3}\components\FFExternalAlert.dll
FF - component: c:\users\Elliot\AppData\Roaming\Mozilla\Firefox\Profiles\035p0pjf.default\extensions\{a8864317-e18b-4292-99d9-e6e65ab905d3}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,cd,78,18,b0,43,c9,45,b6,95,37,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,cd,78,18,b0,43,c9,45,b6,95,37,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\STacSV.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-10-07  17:13:53 - machine was rebooted
ComboFix-quarantined-files.txt  2010-10-07 21:13

Pre-Run: 199,816,708,096 bytes free
Post-Run: 198,689,046,528 bytes free

- - End Of File - - 36693C7393260BCB30F05394350CB798

kevinf80_1d0ac6

1.1K Posts

October 7th, 2010 16:00

Hiya freezeman12,

Proceed as follows:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text between the dotted lines below into it:


------------------------------------------------------------------------------

KillAll::

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
------------------------------------------------------------------------------

Save this as CFScript.txt, in the same location as ComboFix.exe

user posted image

user posted image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Post the log in your reply, any improvements? issues?

Kevin































freezeman12

14 Posts

October 7th, 2010 17:00

ComboFix 10-10-07.01 - Elliot 10/07/2010  18:46:22.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3061.1845 [GMT -4:00]
Running from: c:\users\Elliot\Desktop\ComboFix.exe
Command switches used :: c:\users\Elliot\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((   Files Created from 2010-09-07 to 2010-10-07  )))))))))))))))))))))))))))))))
.

2010-10-07 22:52 . 2010-10-07 23:00    --------    d-----w-    c:\users\Elliot\AppData\Local\temp
2010-10-07 22:52 . 2010-10-07 22:52    --------    d-----w-    c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-10-07 22:52 . 2010-10-07 22:52    --------    d-----w-    c:\users\Public\AppData\Local\temp
2010-10-07 22:52 . 2010-10-07 22:52    --------    d-----w-    c:\users\Default\AppData\Local\temp
2010-10-07 22:43 . 2010-10-07 22:44    --------    d-----w-    C:\32788R22FWJFW
2010-10-07 05:52 . 2010-10-07 05:52    --------    d-----w-    c:\program files\ESET
2010-10-07 05:39 . 2010-10-07 05:39    --------    d-----w-    C:\_OTM
2010-10-07 01:26 . 2010-04-29 19:39    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-07 01:26 . 2010-04-29 19:39    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-10-06 23:00 . 2010-10-06 23:00    --------    d-----w-    c:\program files\CCleaner
2010-10-04 22:20 . 2010-10-04 22:20    --------    d-----w-    c:\users\Elliot\AppData\Roaming\Malwarebytes
2010-10-04 22:20 . 2010-10-04 22:20    --------    d-----w-    c:\programdata\Malwarebytes
2010-10-04 22:20 . 2010-10-07 01:26    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-10-04 22:16 . 2010-10-07 21:53    --------    d-----w-    c:\windows\system32\catroot2
2010-10-04 03:58 . 2010-10-04 03:59    --------    d-----w-    c:\programdata\PopCap Games
2010-10-04 02:25 . 2010-09-07 14:52    46672    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2010-10-04 02:25 . 2010-09-07 14:52    165584    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2010-10-04 02:25 . 2010-09-07 14:47    23376    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2010-10-04 02:25 . 2010-09-07 14:47    50768    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2010-10-04 02:25 . 2010-09-07 14:47    17744    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2010-10-04 02:25 . 2010-09-07 15:12    38848    ----a-w-    c:\windows\avastSS.scr
2010-10-04 02:25 . 2010-09-07 15:11    167592    ----a-w-    c:\windows\system32\aswBoot.exe
2010-10-04 00:58 . 2010-10-04 00:58    --------    d-sh--w-    c:\windows\system32\%APPDATA%
2010-09-30 23:48 . 2010-09-30 23:49    --------    d-----w-    c:\users\Elliot\AppData\Roaming\vlc
2010-09-20 02:23 . 2010-09-24 06:51    --------    d-----w-    c:\programdata\SecTaskMan
2010-09-18 06:04 . 2010-09-18 06:07    --------    d-----w-    c:\users\Elliot\AppData\Roaming\DivX
2010-09-18 06:02 . 2010-09-18 06:05    --------    d-----w-    c:\program files\DivX
2010-09-18 06:02 . 2010-09-18 06:05    --------    d-----w-    c:\programdata\DivX
2010-09-12 19:48 . 2010-09-12 20:12    --------    d-----w-    c:\users\Elliot\AppData\Local\Graboid
2010-09-12 19:48 . 2010-09-12 19:49    --------    d-----w-    c:\users\Elliot\AppData\Roaming\MozillaControl
2010-09-12 19:47 . 2010-09-12 19:47    --------    d-----w-    c:\program files\VideoLAN
2010-09-12 19:46 . 2010-09-20 01:43    --------    d-----w-    c:\program files\Graboid

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 22:39 . 2010-08-20 02:35    46    ----a-w-    c:\users\Elliot\jagex_runescape_preferences.dat
2010-10-07 22:39 . 2010-08-20 02:38    99    ----a-w-    c:\users\Elliot\jagex_runescape_preferences2.dat
2010-10-06 23:11 . 2010-08-20 02:03    --------    d-----w-    c:\programdata\Spybot - Search & Destroy
2010-10-05 00:32 . 2010-09-01 02:37    372736    ----a-w-    c:\programdata\Dell\DSL\DSLCheck.exe
2010-10-04 02:25 . 2010-08-20 01:56    --------    d-----w-    c:\programdata\Alwil Software
2010-10-04 01:47 . 2010-08-20 02:03    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2010-10-04 00:21 . 2010-09-04 07:20    --------    d-----w-    c:\program files\Windows Portable Devices
2010-10-04 00:19 . 2010-08-20 04:04    --------    d-----w-    c:\programdata\Microsoft Help
2010-10-04 00:19 . 2010-08-20 03:28    --------    d-----w-    c:\programdata\Dell
2010-10-04 00:19 . 2010-08-20 02:34    --------    d-----w-    c:\programdata\Yahoo! Companion
2010-10-04 00:19 . 2010-08-20 02:31    --------    d-----w-    c:\program files\Yahoo!
2010-10-04 00:19 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Sidebar
2010-10-04 00:18 . 2006-11-02 11:18    --------    d-----w-    c:\program files\Windows Mail
2010-09-24 10:23 . 2010-08-20 02:34    --------    d-----w-    c:\programdata\Yahoo! Companion(553)
2010-09-22 05:53 . 2010-08-20 01:42    1356    ----a-w-    c:\users\Elliot\AppData\Local\d3d9caps.dat
2010-09-04 07:19 . 2006-11-02 10:25    86016    ----a-w-    c:\windows\Inf\infstrng.dat
2010-09-04 07:19 . 2006-11-02 10:25    86016    ----a-w-    c:\windows\Inf\infstor.dat
2010-09-04 07:19 . 2006-11-02 10:25    665600    ----a-w-    c:\windows\Inf\drvindex.dat
2010-09-04 07:19 . 2006-11-02 10:25    51200    ----a-w-    c:\windows\Inf\infpub.dat
2010-09-04 07:19 . 2010-09-04 07:19    0    ---ha-w-    c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-09-04 02:36 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Photo Gallery
2010-09-04 02:36 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Journal
2010-09-04 02:36 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Collaboration
2010-09-04 02:36 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Calendar
2010-09-04 02:36 . 2006-11-02 12:37    --------    d-----w-    c:\program files\Windows Defender
2010-08-23 04:15 . 2010-08-23 00:53    --------    d-----w-    c:\programdata\Norton
2010-08-23 00:53 . 2010-08-23 00:53    --------    d-----w-    c:\programdata\Symantec
2010-08-23 00:53 . 2010-08-23 00:53    --------    d-----w-    c:\programdata\NortonInstaller
2010-08-21 00:46 . 2010-08-21 00:45    --------    d-----w-    c:\program files\Common Files\Adobe
2010-08-20 23:37 . 2010-08-20 23:37    --------    d-----w-    c:\program files\Common Files\Adobe AIR
2010-08-20 23:07 . 2010-08-20 04:10    --------    d-----w-    c:\program files\Microsoft.NET
2010-08-20 23:03 . 2010-08-20 01:42    59464    ----a-w-    c:\users\Elliot\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-20 23:02 . 2010-08-20 23:02    --------    d-----w-    c:\programdata\Office Genuine Advantage
2010-08-20 22:11 . 2010-08-20 04:10    --------    d-----w-    c:\program files\Microsoft Works
2010-08-20 03:55 . 2010-08-20 03:55    --------    d-----w-    c:\program files\CyberLink
2010-08-20 03:55 . 2010-08-20 03:55    --------    d-----w-    c:\programdata\CyberLink
2010-08-20 03:55 . 2010-08-20 01:56    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-08-20 03:55 . 2010-08-20 01:52    --------    d-----w-    c:\program files\Dell
2010-08-20 03:48 . 2010-08-20 03:48    76    --sh--r-    c:\windows\CT4CET.bin
2010-08-20 03:48 . 2010-08-20 03:46    --------    d-----w-    c:\program files\Creative
2010-08-20 03:48 . 2010-08-20 03:48    --------    d-----w-    c:\program files\Common Files\Reallusion
2010-08-20 03:47 . 2010-08-20 03:47    --------    d-----w-    c:\program files\Creative Live! Cam
2010-08-20 03:34 . 2010-08-20 03:34    --------    d-----w-    c:\program files\Common Files\Java
2010-08-20 03:31 . 2010-08-20 03:31    --------    d-----w-    c:\program files\Modem Diagnostic Tool
2010-08-20 03:29 . 2010-08-20 03:29    69120    ----a-w-    c:\programdata\SupportSoft\DellSupportCenter\_default\data\f9cd5860-4b46-43fa-aa04-46ba9e956204\7e7d3c88-958b-4607-85a7-8c1cc5188887.1\NOTEPAD.EXE
2010-08-20 03:29 . 2010-08-20 03:29    --------    d-----w-    c:\programdata\SupportSoft
2010-08-20 03:29 . 2010-08-20 03:28    --------    d-----w-    c:\program files\Dell Support Center
2010-08-20 03:28 . 2010-08-20 03:28    --------    d-----w-    c:\program files\Common Files\supportsoft
2010-08-20 03:21 . 2010-08-20 02:04    --------    d-----w-    c:\program files\Intel
2010-08-20 03:17 . 2010-08-20 03:17    --------    d-----w-    c:\program files\Marvell
2010-08-20 03:16 . 2010-08-20 01:56    --------    d-----w-    c:\program files\Common Files\InstallShield
2010-08-20 03:16 . 2010-08-20 03:16    --------    d-----w-    c:\users\Elliot\AppData\Roaming\TMP
2010-08-20 03:09 . 2010-08-20 03:09    --------    d-----w-    c:\program files\Cisco
2010-08-20 03:07 . 2010-08-20 03:07    --------    d-----w-    c:\users\Elliot\AppData\Roaming\InstallShield
2010-08-20 03:05 . 2010-08-20 03:05    0    ---ha-w-    c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2010-08-20 03:05 . 2010-08-20 03:05    --------    d-----w-    c:\program files\DellTPad
2010-08-20 02:38 . 2010-08-20 02:38    0    ----a-w-    c:\users\Elliot\jagex__preferences3.dat
2010-08-20 02:34 . 2010-08-20 02:34    --------    d-----w-    c:\users\Elliot\AppData\Roaming\Yahoo!
2010-08-20 02:34 . 2010-08-20 02:33    --------    d-----w-    c:\programdata\Yahoo!
2010-08-20 02:33 . 2010-08-20 02:33    423656    ----a-w-    c:\windows\system32\deployJava1.dll
2010-08-20 02:32 . 2010-08-20 03:34    --------    d-----w-    c:\program files\Java
2010-08-20 02:10 . 2010-08-20 02:10    --------    d-----w-    c:\program files\CONEXANT
2010-08-20 01:56 . 2010-08-20 01:56    --------    d-----w-    c:\program files\Alwil Software
2010-08-20 01:56 . 2010-08-20 01:56    --------    d-----w-    c:\program files\SigmaTel
2010-08-20 01:52 . 2010-08-20 01:52    45056    ----a-r-    c:\users\Elliot\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2010-08-20 01:52 . 2010-08-20 01:52    10134    ----a-r-    c:\users\Elliot\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\ARPPRODUCTICON.exe
2010-08-20 01:39 . 2006-11-02 13:02    1356    ----a-w-    c:\windows\system32\config\systemprofile\AppData\Local\d3d9caps.dat
2010-08-20 01:39 . 2010-08-20 01:39    48600    ----a-w-    c:\windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-20 01:21 . 2010-08-20 01:21    0    ---ha-w-    c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-08-06 03:19 . 2010-08-27 15:19    52224    ----a-w-    c:\users\Elliot\AppData\Roaming\Mozilla\Firefox\Profiles\035p0pjf.default\extensions\{a8864317-e18b-4292-99d9-e6e65ab905d3}\components\FFExternalAlert.dll
2010-08-06 03:19 . 2010-08-27 15:19    101376    ----a-w-    c:\users\Elliot\AppData\Roaming\Mozilla\Firefox\Profiles\035p0pjf.default\extensions\{a8864317-e18b-4292-99d9-e6e65ab905d3}\components\RadioWMPCore.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-10-25 167936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 133656]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-05-20 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 aswSP;aswSP;
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]
S2 aswFsBlk;aswFsBlk;
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-07 111616]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Elliot\AppData\Roaming\Mozilla\Firefox\Profiles\035p0pjf.default\
FF - prefs.js: browser.startup.homepage - msn.com
FF - prefs.js: network.proxy.type - 0
FF - component: c:\users\Elliot\AppData\Roaming\Mozilla\Firefox\Profiles\035p0pjf.default\extensions\{a8864317-e18b-4292-99d9-e6e65ab905d3}\components\FFExternalAlert.dll
FF - component: c:\users\Elliot\AppData\Roaming\Mozilla\Firefox\Profiles\035p0pjf.default\extensions\{a8864317-e18b-4292-99d9-e6e65ab905d3}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\WLANExt.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\STacSV.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Dell Support Center\gs_agent\dsc.exe
.
**************************************************************************
.
Completion time: 2010-10-07  19:03:13 - machine was rebooted
ComboFix-quarantined-files.txt  2010-10-07 23:03
ComboFix2.txt  2010-10-07 21:13

Pre-Run: 196,894,212,096 bytes free
Post-Run: 196,991,995,904 bytes free

- - End Of File - - 4BB1805DE6206B802882D4AF4DAEF484

 

 

still can't get updates for my windows. I got a code 8024007 error and  a code 646 error.

kevinf80_1d0ac6

1.1K Posts

October 8th, 2010 02:00

 

Hiya freezeman12,

Try turning UAC (user access control) to off and try updates again:

Start.
Control Panel.
User Accounts
User Accounts (in the new window)
Turn User Account Control (UAC) on or off.
check the box to turn off UAC.
click "OK".
restart computer.
run Microsoft updates.
reverse procedure to turn UAC back on.

If that doesn`t help go Here and run Microsoft Fixit. 646 error is apparently related to MS office, quite a common problem from what i`ve found using Google.

Let me know how you get on.

Kevin

freezeman12

14 Posts

October 8th, 2010 12:00

I was able to get the updates for my windows but I have a question. Do I have to turn off my UAC off every time I want to get a windows update?

kevinf80_1d0ac6

1.1K Posts

October 8th, 2010 13:00

Hiya Freezeman12,

An honest answer to your question is I dont know, its an anomaly that happens to some systems and not others. It`s one of the mysteries of windows, you may find all of your updates will now work as they should.
At least you`ve got them working, make sure to turn UAC back on before you start active surfing etc. Lets clean up, as follows please :-

Step 1

Remove Combofix now that we're done with it
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")user posted image

  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

The above procedure will delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


Step 2

  • Download OTC by OldTimer and save it to your desktop. Alternative mirror
  • Double click user posted image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big user posted image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • Anything left on the Desktop can be deleted


Step 3

Although your Java is upto date you still have an old version installed, this will be vulnerable and needs to be uninstalled.

From Uninstall a Program via the Control Panel uninstall the following

Java(TM) 6 Update 5

Also Adobe Reader 8.2.0 while there.

Step 4

Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack.

Please go to the link below to update.

Adobe Reader Untick the Free McAfee® Security Scan Plus

Step 5

Re-open CCleaner and run the cleaner again.

Let me know if the above complete OK, especially the Combofix /Uninstall command.

Kevin











































freezeman12

14 Posts

October 8th, 2010 14:00

Weird, I have java version 6 update 21. Where do you see java update 5?

kevinf80_1d0ac6

1.1K Posts

October 8th, 2010 14:00

Security Checks log,

freezeman12

14 Posts

October 8th, 2010 14:00

Is Adobe Acrobat Reader and Adobe Reader the same thing?

Was this post helpful?

View All

No Events found!

Top