# Annoying About:Blank error



## lyhipu9 (Aug 25, 2008)

Hi, I am having an annoying error whenever I click a link, *except when I'm on my browser.* When I click the link, my browser opens and displays the page as usual, but this annoying message pops up: Cannot find 'about:blank'. Make sure the path or Internet address is correct, with Windows Internet Explorer as the label. It also appears on Gigaget, whenever it starts up (probably the ad, but I never saw one). Also it appears when I install/uninstall certain programs, where they show me their websites on my browser *(FF BTW)*. I've tried enabling and disabling IE, but it didn't make a difference. This problem has been persisting me for a long time now, I think it first appeared after I uninstalled GesWall (with Revo >_>). It doesn't interfere with my system, but I'm sick and tired of seeing, hearing, and having to close it. Please help .


----------



## Tech_Fix (Jun 23, 2008)

Download Mozzilla Firefox, excellent browes, even better than IE, set it to default browser and if the error appears on firefox than post again.
Here's the link: http://www.mozilla.com/en-US/products/download.html?product=firefox-3.0.1&os=win〈=en-US


----------



## lyhipu9 (Aug 25, 2008)

Uh, I think you will need to read it more carefully next time. My default browser is Firefox.


----------



## Tech_Fix (Jun 23, 2008)

FF BTW please wirte next time firefox BTW.


----------



## lyhipu9 (Aug 25, 2008)

Well, thanks for trying (can't seem to find the edit button on my topic post right now...). Still, any other suggestions?


----------



## Tech_Fix (Jun 23, 2008)

do you have a firewall running?


----------



## lyhipu9 (Aug 25, 2008)

Ya, Commodo, but I don't think it's the reason, I've checked the network security policy, and other parts of it.


----------



## Tech_Fix (Jun 23, 2008)

What you've got there sounds like the "Cool WWW Search" spyware/adware. The 'best' way to remove this is with the latest version of 'CWShredder' - this can be found in various locations, however the spyware people have been attacking its home site for a few weeks now, so i'll just give you a link :
http://www.majorgeeks.com/download4086.html
Pick one of the three download links there, get the software (very small) and run it. Be sure to close all browser and folder windows before you do!
This will likely sort out the about :blank issue for you!
If CWShredder doesn't work, head over to www.webroot.com and get the trial version of SpySweeper 3.0. That will likely knock anything out of your system that's in your way!
Hope this helps.


----------



## Tech_Fix (Jun 23, 2008)

If that not works, i will rather wait for one of the "golden shields" to come.


----------



## lyhipu9 (Aug 25, 2008)

When I tried CWShredder, it asked me to choose whether to delete C:\WINDOWS\UNINSTCC.exe or not. After a little searching I've decided to delete it, because it seems useless (I've already uninstalled C&C). It also said it deleted something else when it finished, but I didn't get too see it clearly, because I clicked to quickly. The problem still isn't solved though. To clarify (because my problem is a bit different then the usual About:Blank errors I've seen before) whenever firefox pops up, it still does show the correct link, and page, but it still shows that damn message. Also should I upgrade my CWShredder? It said it has a new update (2.00.0000). I really don't want to install a trial antispyware program just for this, since I've recently experienced a clash of my security programs after installing a new one (took a long while to solve this). Lastly, just to be sure, I will show you my HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:24 AM, on 26/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\Jeff Liu\My Documents\TClock Lite\tclock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ssstars.scr
C:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler Lite.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Giganology\Gigaget\Gigaget.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [Gigaget] "C:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [TClock Lite] C:\Documents and Settings\Jeff Liu\My Documents\TClock Lite\tclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [NuonSoft Wallpaper Cycler] "C:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler Lite.exe" 
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1214249873656
O20 - AppInit_DLLs: 
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 5117 bytes


----------



## Tech_Fix (Jun 23, 2008)

Well, I'm sorry, but HTJ logs don't mean anything jet to me, before I got on this forum i didn't even knew for HjackThis, so I've been interested and I'm still learning how to read them and understatnd, so by now, call for "Gold Shield" to come and see this problem if is it malware related.


----------



## lyhipu9 (Aug 25, 2008)

What do you mean by call for "Gold Shield"? Is he a member? Do I PM him? Well I updated my CWShredder to 2.00.0000, and it said it removed 2 more things. Then I reopened Gigaget again, but it still shows the error message.


----------



## iltos (Jun 13, 2004)

gold shields are members and mods who are qualified to evaluate hijack logs....i've already reported your post, asking one of them to take a look at your log....hang in there, lyhipu9, they're busy enough in the malware forum....but one'll find the time to take a look in a day or so.....


----------



## lyhipu9 (Aug 25, 2008)

Ok, thanks. I'll be waiting.


----------



## Tech_Fix (Jun 23, 2008)

oh yeah, and from that what know about HJT it seems that you have one problem. But I'll rather wait for them too.


----------



## Cookiegal (Aug 27, 2003)

Please download Malwarebytes Anti-Malware form *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply along with a new HijackThis log please.

Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*


----------



## lyhipu9 (Aug 25, 2008)

I did the quick scan, it removed 3 things, and I had to restart, but I didn't notice anything different other than my start menu being restored to it's original form (I edited it BTW)... Then I did a full scan, and it removed something from one of my restore points... Oh yeah, I seem to have mistaken some of the errors. When I open an htm (and html) document, an error labeled *C:\wherever it is\whatever it's named* pops up, and states: *Windows cannot find 'C:\wherever it is\whatever it's named'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.* The file is still opened properly on Firefox. The same thing happens when I open an internet shortcut file as well. Sorry about that. Also Gigaget still has the about:blank error. Anyways, here are the logs:

Malwarebytes' Anti-Malware 1.25
Database version: 1090
Windows 5.1.2600 Service Pack 3

7:19:29 PM 27/08/2008
mbam-log-08-27-2008 (19-19-29).txt

Scan type: Quick Scan
Objects scanned: 39639
Time elapsed: 3 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\[email protected]@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.
----------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.25
Database version: 1090
Windows 5.1.2600 Service Pack 3

8:25:36 PM 27/08/2008
mbam-log-08-27-2008 (20-25-36).txt

Scan type: Full Scan (C:\|)
Objects scanned: 95956
Time elapsed: 48 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{BE6AD5DD-98A3-4DE5-92B0-1E1BCE3FAFD8}\RP432\A0175004.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
----------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:58 PM, on 27/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\Jeff Liu\My Documents\TClock Lite\tclock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Giganology\Gigaget\Gigaget.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [Gigaget] "C:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [TClock Lite] C:\Documents and Settings\Jeff Liu\My Documents\TClock Lite\tclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [NuonSoft Wallpaper Cycler] "C:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler Lite.exe" 
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1214249873656
O20 - AppInit_DLLs: 
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 4982 bytes

*Edit*
Oh yeah, I also have other problems, I don't know if they're related to this one or not, but when I open the shortcut to Help and Support on my Start menu, it shows the same kind of error as when opening htm files. It also happens when I try to Run msconfig, although the file still clearly exist. Also my Help and Support service seems to be missing for no apparent reason.


----------



## Cookiegal (Aug 27, 2003)

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.


----------



## lyhipu9 (Aug 25, 2008)

Hmmn, does it prevent the auto run of those devices permanently (until undone) or temporarily?

*Edit*
Also, I don't have my a cd drive + windows cd (my dad took it away, since I rarely used it), and it seems the the Windows XP Setup disks for a floppy download does not include SP3. I'm not sure if I should run ComboFix, because it's so risky, and my problem is barely worth the risk.


----------



## Cookiegal (Aug 27, 2003)

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version (it's the fifith one down the list :

*Java Runtime Environment (JRE) 6 Update 7*

Instructions for Kaspersky scan:


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.


----------



## lyhipu9 (Aug 25, 2008)

I did the online scan properly, but it found nothing... Just how risky is ComboFix btw? Do I really need Windows Recovery Console? Is System Restore enough? (excluding the possibility of a failed Boot and Safe Boot...).


----------



## TheOutcaste (Aug 8, 2007)

lyhipu9 said:


> *Edit*
> Also, I don't have my a cd drive + windows cd (my dad took it away, since I rarely used it), and it seems the the Windows XP Setup disks for a floppy download does not include SP3. I'm not sure if I should run ComboFix, because it's so risky, and my problem is barely worth the risk.


If you have SP3 installed, download the SP2 file to use with Combofix as step 2 of the Combofix guide shows.

As you have an HP PC, I suspect you have the i386 folder already on the hard drive, probably at c:\i386. If so, you don't need the CD, just point to that folder instead of the CD to install the Recovery Console:*C:\i386\winnt32.exe /cmdcons*

If the PC shipped with SP1 or earlier that won't work though. You have to integrate the Service Pack files into the i386 folder.

This article shows how. As you don't have the CD, just copy the i386 folder that is already on the hard drive to c:\XPCD\i386. The same steps apply if you have SP3 installed, just use the SP3 file instead, which can be obtained here.

The Recovery Console takes less than 10 MiB of disk space. Can be very handy to have on the hard drive in case of problems. Of course the PC has to be able to boot far enough to get to the OS Selection menu, so it's not a 100% replacement for an XP CD with the latest SP (and SATA drivers slipstreamed in if needed) but can still be a lifesaver.

HTH

Jerry


----------



## lyhipu9 (Aug 25, 2008)

Thanks for the info. I'll try it out monday night, because I'm going on vacation this weekend.


----------



## Cookiegal (Aug 27, 2003)

There is always some risk running any tools when malware is present on the machine. ComboFix creates backups and the system can be restored if the Recovery Console is installed.

You should always backup any important data, photos, music etc. to an external drive or CDs.


----------



## lyhipu9 (Aug 25, 2008)

Damn, another error. When I tried to integrate it this appeared:
*label*Setup*label*
Failed to copy some or all of the files necessary for integrated install.

Please check that:
a) No network or copy errors occurred during integration process
b) The format of the destination directory is correct.
The files to be integrated must reside in an i386 and/or ia64 or nec 98 directory
(i.e. for an i386 share, if you typed "update /s:c:\cdshare", the files must be in the c:\cdshared\i386 directory).

Now what do I do?


----------



## Cookiegal (Aug 27, 2003)

Use the ComboFix method to install the Recovery console.


----------



## lyhipu9 (Aug 25, 2008)

Ok I will do it. Do I even need to integrate? Anyways I will edit this post when I'm finished (won't do it immediately, because I have other stuff to do for the moment).

*Edit*
Ran ComboFix, and it did fix everything, except windows cannot find errors (it doesn't appear if I already have Firefox running, just to explain it a bit more), and my Help and Support (don't need or care about this one though). Although it did restore a few things, it also fixed a bit of an icon problem that I had, but didn't bother with. Thanks for all of your help. Anyways here are the logs:

ComboFix 08-08-28.04 - Jeff Liu 2008-09-02 20:19:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.142 [GMT -7:00]
Running from: C:\Documents and Settings\Jeff Liu\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff Liu\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-09-02 19:50 . 2008-09-02 19:50 d-------- C:\Program Files\AltDesk
2008-09-02 19:50 . 2008-09-02 19:50 d-------- C:\Documents and Settings\Jeff Liu\Application Data\AltDesk
2008-09-02 19:42 . 2008-09-02 19:47 125,829,120 --ahs---- C:\eboostr.dat
2008-09-02 19:39 . 2008-09-02 19:43 d-------- C:\Program Files\eBoostr
2008-09-02 18:25 . 2008-09-02 20:11 d-------- C:\Documents and Settings\All Users\Application Data\eboostr
2008-09-01 17:56 . 2008-09-01 18:28 d-------- C:\XPSP3
2008-09-01 17:55 . 2008-09-01 17:56 d-------- C:\XPCD
2008-08-30 02:40 . 2008-08-30 02:40 d-------- C:\Program Files\danny_kay1710
2008-08-30 00:43 . 2008-09-02 01:03 d-------- C:\Program Files\ClipX
2008-08-28 00:21 . 2008-08-28 00:21 d-------- C:\Documents and Settings\Jeff Liu\Application Data\vlc
2008-08-28 00:20 . 2008-08-28 00:20 d-------- C:\Program Files\VideoLAN
2008-08-27 19:14 . 2008-08-27 19:14 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-27 19:14 . 2008-08-27 19:14 d-------- C:\Documents and Settings\Jeff Liu\Application Data\Malwarebytes
2008-08-27 19:14 . 2008-08-27 19:14 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 19:14 . 2008-08-17 15:05 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-27 19:14 . 2008-08-17 15:05 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-25 02:12 . 2008-09-02 20:11 2,560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-08-22 22:19 . 2005-09-21 16:25 12,800 --a------ C:\WINDOWS\system32\drivers\FNM1.tmp
2008-08-22 22:19 . 2005-09-21 16:26 6,656 --a------ C:\WINDOWS\system32\drivers\FNM2.tmp
2008-08-22 09:57 . 2008-08-24 20:50 d-------- C:\Program Files\SIW
2008-08-22 08:49 . 2008-08-22 08:49 d-------- C:\Program Files\VIA
2008-08-20 19:43 . 2008-08-20 19:43 d-------- C:\Program Files\Giganology
2008-08-19 21:52 . 2008-08-19 21:52 d-------- C:\Program Files\DAMN NFO Viewer
2008-08-19 03:42 . 2008-08-19 03:42 d-------- C:\WINDOWS\speech
2008-08-19 03:42 . 2008-08-19 04:58 d-------- C:\WINDOWS\Lhsp
2008-08-18 06:11 . 2008-08-18 06:11 d-------- C:\Program Files\PeaZip
2008-08-18 04:23 . 2008-08-18 04:23 d-------- C:\Program Files\DarkSide Arklight 2
2008-08-18 04:23 . 2008-08-18 04:23 d-------- C:\Documents and Settings\Jeff Liu\Application Data\Pi Eye Games
2008-08-17 08:17 . 2008-08-17 08:17 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-08-17 03:08 . 2008-08-19 21:59 d-------- C:\Program Files\GTA2
2008-08-15 21:24 . 2008-08-15 21:26 d-------- C:\Program Files\Feeding Frenzy 2
2008-08-15 16:07 . 2008-08-15 16:07 d-------- C:\Program Files\IObit
2008-08-15 05:16 . 2008-08-15 05:16 0 --a------ C:\WINDOWS\popcinfo.dat
2008-08-14 01:28 . 2008-08-15 21:16 d-------- C:\Program Files\Unlocker
2008-08-13 19:43 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-08-13 19:42 . 2008-08-13 19:42 d-------- C:\WINDOWS\Logs
2008-08-12 16:10 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 16:08 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 04:58 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-08-12 04:57 . 2008-08-12 04:57 d-------- C:\Documents and Settings\Jeff Liu\WINDOWS
2008-08-12 04:44 . 2008-08-12 04:44 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-08-10 04:58 . 2008-08-10 22:44 d-------- C:\WINDOWS\system32\MappedUp dir
2008-08-09 21:43 . 2008-03-07 10:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-08-09 21:43 . 2008-03-07 10:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-08-09 21:43 . 2008-03-07 10:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-08-09 16:51 . 2008-08-09 16:51 d-------- C:\Documents and Settings\Jeff Liu\Application Data\Jane s Hotel
2008-08-09 16:50 . 2008-08-30 02:21 d-------- C:\Program Files\Realore
2008-08-08 05:17 . 2008-08-08 05:17 96,376 --a------ C:\WINDOWS\system32\drivers\EBoost.sys
2008-08-07 23:00 . 2008-08-07 23:00 3,932,214 --a------ C:\WINDOWS\AW_XenoMorph1280.bmp
2008-08-07 22:54 . 2003-02-26 22:27 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2008-08-07 11:41 . 2008-08-07 11:41 d-------- C:\Program Files\NuonSoft
2008-08-07 06:21 . 2008-08-07 06:21 d-------- C:\Program Files\ThreatFire
2008-08-07 06:21 . 2008-04-24 16:52 51,520 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2008-08-07 06:21 . 2008-04-24 16:52 38,208 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2008-08-07 06:21 . 2008-04-24 16:52 33,088 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2008-08-07 06:21 . 2008-04-24 16:52 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-08-07 05:58 . 2008-08-07 06:21 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-07 05:28 . 2008-08-07 05:28 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-08-07 05:28 . 2008-08-07 05:28 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-08-07 05:28 . 2008-08-07 05:28 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-08-06 05:05 . 2008-08-06 05:05 d-------- C:\Program Files\Alwil Software
2008-08-06 04:10 . 2008-08-20 22:27 d-------- C:\Program Files\Battle for Wesnoth 1.5
2008-08-05 23:20 . 2008-08-05 23:20 d-------- C:\Program Files\Stormregion
2008-08-05 08:43 . 2008-08-05 08:43 d-------- C:\WINDOWS\system32\AGEIA
2008-08-05 03:17 . 2008-08-05 03:17 d-------- C:\Program Files\Take2
2008-08-04 23:25 . 2008-08-04 23:25 110,592 --a------ C:\WINDOWS\system32\duninstall.exe
2008-08-04 23:25 . 2008-08-04 23:25 56 --a------ C:\WINDOWS\1.00.0000
2008-08-03 00:23 . 2008-08-03 00:25 56 --a------ C:\WINDOWS\kgt2k.INI
2008-08-03 00:21 . 2008-08-03 00:24 42,643 --a------ C:\WINDOWS\‚Q‚cŠi"¬ƒcƒN[ƒ‹‚Q‚Ž‚„.mid

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 03:26 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-03 03:26 --------- d-----w C:\Documents and Settings\Jeff Liu\Application Data\uTorrent
2008-08-27 05:51 --------- d-----w C:\Program Files\Ricochet Infinity
2008-08-25 12:25 --------- d-----w C:\Program Files\Glary Utilities
2008-08-24 07:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-18 23:53 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-11 12:43 --------- d-----w C:\Program Files\uTorrent
2008-08-07 12:56 --------- d-----w C:\Documents and Settings\Jeff Liu\Application Data\Comodo
2008-08-07 12:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2008-08-07 12:28 --------- d-----w C:\Program Files\Comodo
2008-08-06 06:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-04 07:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-03 03:35 --------- d-----w C:\Program Files\CachemanXP
2008-08-02 02:29 --------- d-----w C:\Documents and Settings\Jeff Liu\Application Data\GlarySoft
2008-07-31 17:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 17:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 17:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-31 10:36 --------- d-----w C:\Program Files\IrfanView
2008-07-31 08:53 --------- d-----w C:\Program Files\Common Files\Pointstone
2008-07-29 12:34 --------- d-----w C:\Program Files\Trend Micro
2008-07-28 12:19 --------- d-----w C:\Program Files\Foxit Software
2008-07-26 21:50 --------- d-----w C:\Program Files\D4
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 -c--a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 -c--a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-17 21:20 --------- d-----w C:\Program Files\Java
2008-07-15 05:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-14 12:09 212,728 ----a-w C:\WINDOWS\CMDLIC.DLL
2008-07-14 02:02 --------- d-----w C:\Program Files\VirusTotalUploader
2008-07-14 00:34 --------- d-----w C:\Documents and Settings\Jeff Liu\Application Data\KC Softwares
2008-07-12 15:18 467,984 ----a-w C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 15:18 3,851,784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 15:18 1,493,528 ----a-w C:\WINDOWS\system32\D3DCompiler_39.dll
2008-07-12 06:11 --------- d-----w C:\Program Files\KC Softwares
2008-07-12 03:55 249,592 ----a-w C:\WINDOWS\system32\cssdll32.dll
2008-07-11 23:08 --------- d-----w C:\Program Files\DropMyRights
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-05 21:58 8,494,592 ----a-w C:\WINDOWS\system32\logonuiX.exe
2008-07-04 22:06 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 07:18 2,332,160 ----a-w C:\WINDOWS\system32\kernel1.exe
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-04 00:57 290,816 ----a-w C:\WINDOWS\system32\XDogcat.dll
2008-04-22 07:40 625,664 --sha-w C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
2008-04-14 12:42 60,416 --sha-w C:\WINDOWS\ServicePackFiles\i386\msimn.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClock Lite"="C:\Documents and Settings\Jeff Liu\My Documents\TClock Lite\tclock.exe" [2004-09-07 17:16 44544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-08-09 15:46 267056]
"NuonSoft Wallpaper Cycler"="C:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler Lite.exe" [2007-12-15 18:00 1947704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dimension4"="C:\Program Files\D4\D4.exe" [2004-02-04 01:26 200704]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\cfp.exe" [2008-08-07 05:28 1655552]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2008-04-24 16:52 259392]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:31 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2003-03-31 05:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 05:00 455168]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-01 21:15 15872]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2008-08-14 21:14 2235720]
"Gigaget"="C:\Program Files\Giganology\Gigaget\GigagetShell.exe" [2006-02-07 10:28 495616]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 07:38 78008]
"ClipX"="C:\Program Files\ClipX\clipx.exe" [2005-11-30 14:34 68608]
"S3TRAY2"="S3tray2.exe" [2003-02-25 05:33 69632 C:\WINDOWS\system32\S3tray2.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eBoostr Control Panel.lnk - C:\Program Files\eBoostr\eBoostrCP.exe [2008-08-08 05:16:56 1011320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 01000000
"NoUserNameInStartMenu"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"ForceStartMenuLogoff"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Giganology\\Gigaget\\Gigaget.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24704:TCP"= 24704:TCP:BitComet 24704 TCP
"24704:UDP"= 24704:UDP:BitComet 24704 UDP

R0 eBoost;eBoostr caching filter driver;C:\WINDOWS\system32\drivers\eBoost.sys [2008-08-08 05:17]
R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 16:52]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 16:52]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 07:35]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-08-07 05:28]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-08-07 05:28]
R1 mchInjDrv;madCodeHook DLL injection driver;C:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-09-02 20:11]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 07:37]
R2 CachemanXPService;CachemanXP;C:\PROGRA~1\CACHEM~1\CachemanXP.exe [2008-04-30 19:54]
R2 EBOOSTRSVC;eBoostr Service;C:\Program Files\eBoostr\EBstrSvc.exe [2008-08-08 05:17]
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service []
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 16:52]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-09-03 C:\WINDOWS\Tasks\GlaryInitialize.job
- C:\Program Files\Glary Utilities\initialize.exe [2008-07-18 11:08]

2008-09-02 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe []
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Jeff Liu\Application Data\Mozilla\Firefox\Profiles\2646gh94.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - C:\Documents and Settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 20:25:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\NuonSoft\WallpaperCycler3\Wallpaper Cycler Helper.dll
.
Completion time: 2008-09-02 20:29:37
ComboFix-quarantined-files.txt 2008-09-03 03:29:25

Pre-Run: 18,080,108,544 bytes free
Post-Run: 18,076,151,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut /bootlogo

254 --- E O F --- 2008-08-27 01:49:34
<----------------------------------------*Separator*------------------------------------------------>
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:43 PM, on 02/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ClipX\clipx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\eBoostr\eBoostrCP.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler Lite.exe
C:\Program Files\eBoostr\EBstrSvc.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Giganology\Gigaget\Gigaget.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [Gigaget] "C:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ClipX] C:\Program Files\ClipX\clipx.exe
O4 - HKCU\..\Run: [TClock Lite] C:\Documents and Settings\Jeff Liu\My Documents\TClock Lite\tclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [NuonSoft Wallpaper Cycler] "C:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler Lite.exe" 
O4 - Global Startup: eBoostr Control Panel.lnk = C:\Program Files\eBoostr\eBoostrCP.exe
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1214249873656
O20 - AppInit_DLLs: 
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: eBoostr Service (EBOOSTRSVC) - eBoostr.com - C:\Program Files\eBoostr\EBstrSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 5218 bytes

Also do I need to keep the files related to the integration process? (installer, and everything else). They do take up quite a lot of disk space...

*Edit2*
>_>, for some reason the about:blank error still appears if I have FF running. Well at least I don't have to see it every time at startup (I autostart Gigaget BTW).

*Edit3*
Oh, I've just noticed that the Microsoft Update page now works perfectly fine, I had errors viewing the Options section, and other parts of it before. Another thanks, and keep up the good work Tech Support Guy =).


----------



## Cookiegal (Aug 27, 2003)

I'm sorry I didn't reply sooner. I remember reviewing the log and thought I had replied but apparently I hadn't. 

Open Notepad and copy and paste the text in the code box below into it:


```
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## lyhipu9 (Aug 25, 2008)

It's ok. Also during these 5 days, the Gigaget about:blank error totally returned, and I was stupid enough to try out the Glary Utilities Registry Defrag >_>. It deleted lots of my startup programs (including my security ones), and a few other stuff. I fixed that manually later when System Restore failed. Anyways, back to the point, I did do what you said, but nothing changed... Here are the logs:

Damn lost ComboFix one, I don't know where it is now... I only have the old ones. There's this one I did a while back out of boredom (I think it's that one):
ComboFix 08-08-28.04 - Jeff Liu 2008-09-03 17:32:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.75 [GMT -7:00]
Running from: C:\Documents and Settings\Jeff Liu\Desktop\Softwares\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-08-04 to 2008-09-04 )))))))))))))))))))))))))))))))
.

2008-09-03 17:24 . 2008-09-03 17:24 d-------- C:\Program Files\zabkat
2008-09-03 15:17 . 2008-09-03 15:22 d-------- C:\Documents and Settings\Jeff Liu\Application Data\Dexpot
2008-09-02 21:46 . 2008-09-02 21:46 d-------- C:\Program Files\SUPERAntiSpyware
2008-09-02 21:46 . 2008-09-02 21:46 d-------- C:\Documents and Settings\Jeff Liu\Application Data\SUPERAntiSpyware.com
2008-09-02 21:46 . 2008-09-02 21:46 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-02 19:50 . 2008-09-02 19:50 d-------- C:\Program Files\AltDesk
2008-09-02 19:50 . 2008-09-02 19:50 d-------- C:\Documents and Settings\Jeff Liu\Application Data\AltDesk
2008-09-02 19:42 . 2008-09-03 16:38 125,829,120 --ahs---- C:\eboostr.dat
2008-09-02 19:39 . 2008-09-02 19:43 d-------- C:\Program Files\eBoostr
2008-09-02 18:25 . 2008-09-03 17:15 d-------- C:\Documents and Settings\All Users\Application Data\eboostr
2008-08-30 02:40 . 2008-08-30 02:40 d-------- C:\Program Files\danny_kay1710
2008-08-30 00:43 . 2008-09-03 00:18 d-------- C:\Program Files\ClipX
2008-08-28 00:21 . 2008-08-28 00:21 d-------- C:\Documents and Settings\Jeff Liu\Application Data\vlc
2008-08-28 00:20 . 2008-08-28 00:20 d-------- C:\Program Files\VideoLAN
2008-08-27 19:14 . 2008-09-03 00:16 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-27 19:14 . 2008-08-27 19:14 d-------- C:\Documents and Settings\Jeff Liu\Application Data\Malwarebytes
2008-08-27 19:14 . 2008-08-27 19:14 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 19:14 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-27 19:14 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-25 02:12 . 2008-09-03 17:15 2,560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-08-22 22:19 . 2005-09-21 16:25 12,800 --a------ C:\WINDOWS\system32\drivers\FNM1.tmp
2008-08-22 22:19 . 2005-09-21 16:26 6,656 --a------ C:\WINDOWS\system32\drivers\FNM2.tmp
2008-08-22 09:57 . 2008-08-24 20:50 d-------- C:\Program Files\SIW
2008-08-20 19:43 . 2008-08-20 19:43 d-------- C:\Program Files\Giganology
2008-08-19 21:52 . 2008-08-19 21:52 d-------- C:\Program Files\DAMN NFO Viewer
2008-08-19 03:42 . 2008-08-19 03:42 d-------- C:\WINDOWS\speech
2008-08-19 03:42 . 2008-08-19 04:58 d-------- C:\WINDOWS\Lhsp
2008-08-18 06:11 . 2008-08-18 06:11 d-------- C:\Program Files\PeaZip
2008-08-18 04:23 . 2008-08-18 04:23 d-------- C:\Program Files\DarkSide Arklight 2
2008-08-18 04:23 . 2008-08-18 04:23 d-------- C:\Documents and Settings\Jeff Liu\Application Data\Pi Eye Games
2008-08-17 08:17 . 2008-08-17 08:17 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-08-17 03:08 . 2008-08-19 21:59 d-------- C:\Program Files\GTA2
2008-08-15 21:24 . 2008-08-15 21:26 d-------- C:\Program Files\Feeding Frenzy 2
2008-08-15 16:07 . 2008-08-15 16:07 d-------- C:\Program Files\IObit
2008-08-15 05:16 . 2008-08-15 05:16 0 --a------ C:\WINDOWS\popcinfo.dat
2008-08-14 01:28 . 2008-08-15 21:16 d-------- C:\Program Files\Unlocker
2008-08-13 19:43 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-08-13 19:42 . 2008-08-13 19:42 d-------- C:\WINDOWS\Logs
2008-08-12 16:10 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 16:08 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 04:58 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-08-12 04:57 . 2008-08-12 04:57 d-------- C:\Documents and Settings\Jeff Liu\WINDOWS
2008-08-12 04:44 . 2008-08-12 04:44 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-08-10 04:58 . 2008-08-10 22:44 d-------- C:\WINDOWS\system32\MappedUp dir
2008-08-09 21:43 . 2008-03-07 10:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-08-09 21:43 . 2008-03-07 10:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-08-09 21:43 . 2008-03-07 10:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-08-09 16:51 . 2008-08-09 16:51 d-------- C:\Documents and Settings\Jeff Liu\Application Data\Jane s Hotel
2008-08-09 16:50 . 2008-08-30 02:21 d-------- C:\Program Files\Realore
2008-08-08 05:17 . 2008-08-08 05:17 96,376 --a------ C:\WINDOWS\system32\drivers\EBoost.sys
2008-08-07 22:54 . 2003-02-26 22:27 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2008-08-07 11:41 . 2008-08-07 11:41 d-------- C:\Program Files\NuonSoft
2008-08-07 06:21 . 2008-08-07 06:21 d-------- C:\Program Files\ThreatFire
2008-08-07 06:21 . 2008-04-24 16:52 51,520 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2008-08-07 06:21 . 2008-04-24 16:52 38,208 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2008-08-07 06:21 . 2008-04-24 16:52 33,088 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2008-08-07 06:21 . 2008-04-24 16:52 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-08-07 05:58 . 2008-08-07 06:21 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-07 05:28 . 2008-08-07 05:28 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-08-07 05:28 . 2008-08-07 05:28 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-08-07 05:28 . 2008-08-07 05:28 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-08-06 05:05 . 2008-08-06 05:05 d-------- C:\Program Files\Alwil Software
2008-08-06 04:10 . 2008-08-20 22:27 d-------- C:\Program Files\Battle for Wesnoth 1.5
2008-08-05 23:20 . 2008-08-05 23:20 d-------- C:\Program Files\Stormregion
2008-08-05 08:43 . 2008-08-05 08:43 d-------- C:\WINDOWS\system32\AGEIA
2008-08-05 03:17 . 2008-08-05 03:17 d-------- C:\Program Files\Take2
2008-08-04 23:25 . 2008-08-04 23:25 110,592 --a------ C:\WINDOWS\system32\duninstall.exe
2008-08-04 23:25 . 2008-08-04 23:25 56 --a------ C:\WINDOWS\1.00.0000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-04 00:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-04 00:32 --------- d-----w C:\Documents and Settings\Jeff Liu\Application Data\uTorrent
2008-09-03 04:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-27 05:51 --------- d-----w C:\Program Files\Ricochet Infinity
2008-08-25 12:25 --------- d-----w C:\Program Files\Glary Utilities
2008-08-24 07:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-18 23:53 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-11 12:43 --------- d-----w C:\Program Files\uTorrent
2008-08-07 12:56 --------- d-----w C:\Documents and Settings\Jeff Liu\Application Data\Comodo
2008-08-07 12:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2008-08-07 12:28 --------- d-----w C:\Program Files\Comodo
2008-08-06 06:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-03 03:35 --------- d-----w C:\Program Files\CachemanXP
2008-08-02 02:29 --------- d-----w C:\Documents and Settings\Jeff Liu\Application Data\GlarySoft
2008-07-31 17:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 17:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 17:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-31 10:36 --------- d-----w C:\Program Files\IrfanView
2008-07-31 08:53 --------- d-----w C:\Program Files\Common Files\Pointstone
2008-07-29 12:34 --------- d-----w C:\Program Files\Trend Micro
2008-07-28 12:19 --------- d-----w C:\Program Files\Foxit Software
2008-07-26 21:50 --------- d-----w C:\Program Files\D4
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 -c--a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 -c--a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-17 21:20 --------- d-----w C:\Program Files\Java
2008-07-15 05:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-14 12:09 212,728 ----a-w C:\WINDOWS\CMDLIC.DLL
2008-07-14 02:02 --------- d-----w C:\Program Files\VirusTotalUploader
2008-07-14 00:34 --------- d-----w C:\Documents and Settings\Jeff Liu\Application Data\KC Softwares
2008-07-12 15:18 467,984 ----a-w C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 15:18 3,851,784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 15:18 1,493,528 ----a-w C:\WINDOWS\system32\D3DCompiler_39.dll
2008-07-12 06:11 --------- d-----w C:\Program Files\KC Softwares
2008-07-12 03:55 249,592 ----a-w C:\WINDOWS\system32\cssdll32.dll
2008-07-11 23:08 --------- d-----w C:\Program Files\DropMyRights
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-05 21:58 8,494,592 ----a-w C:\WINDOWS\system32\logonuiX.exe
2008-07-04 22:06 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 07:18 2,332,160 ----a-w C:\WINDOWS\system32\kernel1.exe
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-04 00:57 290,816 ----a-w C:\WINDOWS\system32\XDogcat.dll
2008-04-22 07:40 625,664 --sha-w C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
2008-04-14 12:42 60,416 --sha-w C:\WINDOWS\ServicePackFiles\i386\msimn.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClock Lite"="C:\Documents and Settings\Jeff Liu\My Documents\TClock Lite\tclock.exe" [2004-09-07 17:16 44544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-08-09 15:46 267056]
"NuonSoft Wallpaper Cycler"="C:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler Lite.exe" [2007-12-15 18:00 1947704]
"AltDesk"="C:\Program Files\AltDesk\AltDesk.exe" [2007-02-28 04:42 431616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dimension4"="C:\Program Files\D4\D4.exe" [2004-02-04 01:26 200704]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\cfp.exe" [2008-08-07 05:28 1655552]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2008-04-24 16:52 259392]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:31 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2003-03-31 05:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 05:00 455168]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-01 21:15 15872]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2008-08-14 21:14 2235720]
"Gigaget"="C:\Program Files\Giganology\Gigaget\GigagetShell.exe" [2006-02-07 10:28 495616]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 07:38 78008]
"ClipX"="C:\Program Files\ClipX\clipx.exe" [2005-11-30 14:34 68608]
"S3TRAY2"="S3tray2.exe" [2003-02-25 05:33 69632 C:\WINDOWS\system32\S3tray2.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eBoostr Control Panel.lnk - C:\Program Files\eBoostr\eBoostrCP.exe [2008-08-08 05:16:56 1011320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 01000000
"NoUserNameInStartMenu"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"ForceStartMenuLogoff"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoLogoff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Giganology\\Gigaget\\Gigaget.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24704:TCP"= 24704:TCP:BitComet 24704 TCP
"24704:UDP"= 24704:UDP:BitComet 24704 UDP

R0 eBoost;eBoostr caching filter driver;C:\WINDOWS\system32\drivers\eBoost.sys [2008-08-08 05:17]
R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 16:52]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 16:52]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 07:35]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-08-07 05:28]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-08-07 05:28]
R1 mchInjDrv;madCodeHook DLL injection driver;C:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-09-03 17:15]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 07:37]
R2 CachemanXPService;CachemanXP;C:\PROGRA~1\CACHEM~1\CachemanXP.exe [2008-04-30 19:54]
R2 EBOOSTRSVC;eBoostr Service;C:\Program Files\eBoostr\EBstrSvc.exe [2008-08-08 05:17]
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service []
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 16:52]
.
Contents of the 'Scheduled Tasks' folder

2008-09-04 C:\WINDOWS\Tasks\GlaryInitialize.job
- C:\Program Files\Glary Utilities\initialize.exe [2008-07-18 11:08]

2008-09-02 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe []
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Jeff Liu\Application Data\Mozilla\Firefox\Profiles\2646gh94.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - C:\Documents and Settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 17:38:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-03 17:42:55
ComboFix-quarantined-files.txt 2008-09-04 00:42:43
ComboFix2.txt 2008-09-03 03:29:40

Pre-Run: 24,286,486,528 bytes free
Post-Run: 24,290,701,312 bytes free

244 --- E O F --- 2008-08-27 01:49:34

Here's HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:53 PM, on 07/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\cfp.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\ClipX\clipx.exe
C:\Program Files\D4\D4.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\Jeff Liu\My Documents\TClock Lite\tclock.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eBoostr\eBoostrCP.exe
C:\Program Files\eBoostr\EBstrSvc.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler Lite.exe
C:\Program Files\Giganology\Gigaget\Gigaget.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [ClipX] C:\Program Files\ClipX\clipx.exe
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Gigaget] "C:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [TClock Lite] C:\Documents and Settings\Jeff Liu\My Documents\TClock Lite\tclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NuonSoft Wallpaper Cycler] "C:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler Lite.exe" 
O4 - Global Startup: eBoostr Control Panel.lnk = C:\Program Files\eBoostr\eBoostrCP.exe
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1214249873656
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: eBoostr Service (EBOOSTRSVC) - eBoostr.com - C:\Program Files\eBoostr\EBstrSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 5127 bytes

Should I run ComboFix again?


----------



## lyhipu9 (Aug 25, 2008)

Sorry for double post, but I need to, because I've exceeded the limit of characters allowed in a post. Anyways, I've found the right one after using Search:
ComboFix 08-09-05.03 - Jeff Liu 2008-09-07 11:17:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.105 [GMT -7:00]
Running from: C:\Documents and Settings\Jeff Liu\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff Liu\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
.

2008-09-07 11:04 . 2008-09-07 11:07 d-------- C:\Program Files\Around the World in 80 Days
2008-09-05 17:02 . 2008-09-01 16:00 1,435,272 --a------ C:\WINDOWS\system32\Flash8.ocx
2008-09-05 17:00 . 2008-09-05 17:00 d-------- C:\Program Files\Wondershare
2008-09-05 15:34 . 2008-09-05 15:34 d-------- C:\Program Files\Tracker Software
2008-09-03 17:24 . 2008-09-03 17:24 d-------- C:\Program Files\zabkat
2008-09-03 15:17 . 2008-09-03 15:22 d-------- C:\Documents and Settings\Jeff Liu\Application Data\Dexpot
2008-09-02 21:46 . 2008-09-02 21:46 d-------- C:\Program Files\SUPERAntiSpyware
2008-09-02 21:46 . 2008-09-02 21:46 d-------- C:\Documents and Settings\Jeff Liu\Application Data\SUPERAntiSpyware.com
2008-09-02 21:46 . 2008-09-02 21:46 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-02 19:50 . 2008-09-02 19:50 d-------- C:\Program Files\AltDesk
2008-09-02 19:50 . 2008-09-02 19:50 d-------- C:\Documents and Settings\Jeff Liu\Application Data\AltDesk
2008-09-02 19:42 . 2008-09-06 11:36 125,829,120 --ahs---- C:\eboostr.dat
2008-09-02 19:39 . 2008-09-02 19:43 d-------- C:\Program Files\eBoostr
2008-09-02 18:25 . 2008-09-07 10:58 d-------- C:\Documents and Settings\All Users\Application Data\eboostr
2008-08-30 02:40 . 2008-08-30 02:40 d-------- C:\Program Files\danny_kay1710
2008-08-30 00:43 . 2008-09-07 01:00 d-------- C:\Program Files\ClipX
2008-08-28 00:21 . 2008-08-28 00:21 d-------- C:\Documents and Settings\Jeff Liu\Application Data\vlc
2008-08-28 00:20 . 2008-08-28 00:20 d-------- C:\Program Files\VideoLAN
2008-08-27 19:14 . 2008-09-03 00:16 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-27 19:14 . 2008-08-27 19:14 d-------- C:\Documents and Settings\Jeff Liu\Application Data\Malwarebytes
2008-08-27 19:14 . 2008-08-27 19:14 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 19:14 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-27 19:14 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-25 02:12 . 2008-09-07 10:58 2,560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-08-22 22:19 . 2005-09-21 16:25 12,800 --a------ C:\WINDOWS\system32\drivers\FNM1.tmp
2008-08-22 22:19 . 2005-09-21 16:26 6,656 --a------ C:\WINDOWS\system32\drivers\FNM2.tmp
2008-08-22 09:57 . 2008-09-03 20:48 d-------- C:\Program Files\SIW
2008-08-20 19:43 . 2008-08-20 19:43 d-------- C:\Program Files\Giganology
2008-08-19 21:52 . 2008-08-19 21:52 d-------- C:\Program Files\DAMN NFO Viewer
2008-08-19 03:42 . 2008-08-19 03:42 d-------- C:\WINDOWS\speech
2008-08-19 03:42 . 2008-08-19 04:58 d-------- C:\WINDOWS\Lhsp
2008-08-18 06:11 . 2008-08-18 06:11 d-------- C:\Program Files\PeaZip
2008-08-18 04:23 . 2008-08-18 04:23 d-------- C:\Program Files\DarkSide Arklight 2
2008-08-18 04:23 . 2008-08-18 04:23 d-------- C:\Documents and Settings\Jeff Liu\Application Data\Pi Eye Games
2008-08-17 08:17 . 2008-08-17 08:17 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-08-17 03:08 . 2008-08-19 21:59 d-------- C:\Program Files\GTA2
2008-08-15 21:24 . 2008-08-15 21:26 d-------- C:\Program Files\Feeding Frenzy 2
2008-08-15 16:07 . 2008-08-15 16:07 d-------- C:\Program Files\IObit
2008-08-15 05:16 . 2008-08-15 05:16 0 --a------ C:\WINDOWS\popcinfo.dat
2008-08-14 01:28 . 2008-08-15 21:16 d-------- C:\Program Files\Unlocker
2008-08-13 19:43 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-08-13 19:42 . 2008-08-13 19:42 d-------- C:\WINDOWS\Logs
2008-08-12 16:10 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 16:08 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 04:58 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-08-12 04:57 . 2008-08-12 04:57 d-------- C:\Documents and Settings\Jeff Liu\WINDOWS
2008-08-12 04:44 . 2008-08-12 04:44 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-08-10 04:58 . 2008-08-10 22:44 d-------- C:\WINDOWS\system32\MappedUp dir
2008-08-09 21:43 . 2008-03-07 10:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-08-09 21:43 . 2008-03-07 10:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-08-09 21:43 . 2008-03-07 10:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-08-09 16:51 . 2008-08-09 16:51 d-------- C:\Documents and Settings\Jeff Liu\Application Data\Jane s Hotel
2008-08-09 16:50 . 2008-08-30 02:21 d-------- C:\Program Files\Realore
2008-08-08 05:17 . 2008-08-08 05:17 96,376 --a------ C:\WINDOWS\system32\drivers\EBoost.sys
2008-08-07 22:54 . 2003-02-26 22:27 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2008-08-07 11:41 . 2008-08-07 11:41 d-------- C:\Program Files\NuonSoft
2008-08-07 06:21 . 2008-08-07 06:21 d-------- C:\Program Files\ThreatFire
2008-08-07 06:21 . 2008-04-24 16:52 51,520 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2008-08-07 06:21 . 2008-04-24 16:52 38,208 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2008-08-07 06:21 . 2008-04-24 16:52 33,088 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2008-08-07 06:21 . 2008-04-24 16:52 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-08-07 05:58 . 2008-08-07 06:21 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-07 05:28 . 2008-08-07 05:28 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-08-07 05:28 . 2008-08-07 05:28 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-08-07 05:28 . 2008-08-07 05:28 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 18:22 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-06 20:56 --------- d-----w C:\Documents and Settings\Jeff Liu\Application Data\uTorrent
2008-09-03 04:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-27 05:51 --------- d-----w C:\Program Files\Ricochet Infinity
2008-08-25 12:25 --------- d-----w C:\Program Files\Glary Utilities
2008-08-24 07:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-21 05:27 --------- d-----w C:\Program Files\Battle for Wesnoth 1.5
2008-08-18 23:53 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-11 12:43 --------- d-----w C:\Program Files\uTorrent
2008-08-07 12:56 --------- d-----w C:\Documents and Settings\Jeff Liu\Application Data\Comodo
2008-08-07 12:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2008-08-07 12:28 --------- d-----w C:\Program Files\Comodo
2008-08-06 12:05 --------- d-----w C:\Program Files\Alwil Software
2008-08-06 06:20 --------- d-----w C:\Program Files\Stormregion
2008-08-06 06:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-05 10:17 --------- d-----w C:\Program Files\Take2
2008-08-05 06:25 110,592 ----a-w C:\WINDOWS\system32\duninstall.exe
2008-08-03 03:35 --------- d-----w C:\Program Files\CachemanXP
2008-08-02 02:29 --------- d-----w C:\Documents and Settings\Jeff Liu\Application Data\GlarySoft
2008-07-31 17:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 17:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 17:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-31 10:36 --------- d-----w C:\Program Files\IrfanView
2008-07-31 08:53 --------- d-----w C:\Program Files\Common Files\Pointstone
2008-07-29 12:34 --------- d-----w C:\Program Files\Trend Micro
2008-07-26 21:50 --------- d-----w C:\Program Files\D4
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 -c--a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 -c--a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-17 21:20 --------- d-----w C:\Program Files\Java
2008-07-15 05:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-14 12:09 212,728 ----a-w C:\WINDOWS\CMDLIC.DLL
2008-07-14 02:02 --------- d-----w C:\Program Files\VirusTotalUploader
2008-07-14 00:34 --------- d-----w C:\Documents and Settings\Jeff Liu\Application Data\KC Softwares
2008-07-12 15:18 467,984 ----a-w C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 15:18 3,851,784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 15:18 1,493,528 ----a-w C:\WINDOWS\system32\D3DCompiler_39.dll
2008-07-12 06:11 --------- d-----w C:\Program Files\KC Softwares
2008-07-12 03:55 249,592 ----a-w C:\WINDOWS\system32\cssdll32.dll
2008-07-11 23:08 --------- d-----w C:\Program Files\DropMyRights
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-05 21:58 8,494,592 ----a-w C:\WINDOWS\system32\logonuiX.exe
2008-07-04 22:06 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 07:18 2,332,160 ----a-w C:\WINDOWS\system32\kernel1.exe
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-04-22 07:40 625,664 --sha-w C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
2008-04-14 12:42 60,416 --sha-w C:\WINDOWS\ServicePackFiles\i386\msimn.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClock Lite"="C:\Documents and Settings\Jeff Liu\My Documents\TClock Lite\tclock.exe" [2004-09-07 44544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"NuonSoft Wallpaper Cycler"="C:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler Lite.exe" [2007-12-15 1947704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\cfp.exe" [2008-08-07 1655552]
"ClipX"="C:\Program Files\ClipX\clipx.exe" [2005-11-30 68608]
"Dimension4"="C:\Program Files\D4\D4.exe" [2004-02-04 200704]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2008-08-14 2235720]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2008-04-24 259392]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]
"Gigaget"="C:\Program Files\Giganology\Gigaget\GigagetShell.exe" [2006-02-07 495616]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eBoostr Control Panel.lnk - C:\Program Files\eBoostr\eBoostrCP.exe [2008-08-08 1011320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 01000000
"NoUserNameInStartMenu"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"ForceStartMenuLogoff"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoLogoff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Giganology\\Gigaget\\Gigaget.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24704:TCP"= 24704:TCP:BitComet 24704 TCP
"24704:UDP"= 24704:UDP:BitComet 24704 UDP

R0 eBoost;eBoostr caching filter driver;C:\WINDOWS\system32\drivers\eBoost.sys [2008-08-08 96376]
R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 51520]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 38208]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-08-07 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-08-07 24208]
R1 mchInjDrv;madCodeHook DLL injection driver;C:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-09-07 2560]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 CachemanXPService;CachemanXP;C:\PROGRA~1\CACHEM~1\CachemanXP.exe [2008-04-30 243200]
R2 EBOOSTRSVC;eBoostr Service;C:\Program Files\eBoostr\EBstrSvc.exe [2008-08-08 843384]
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service [ ]
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 33088]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 11:22:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-07 11:26:33
ComboFix-quarantined-files.txt 2008-09-07 18:26:22
ComboFix2.txt 2008-09-04 00:42:58
ComboFix3.txt 2008-09-03 03:29:40

Pre-Run: 22,664,880,128 bytes free
Post-Run: 22,663,917,568 bytes free

226 --- E O F --- 2008-08-27 01:49:34


----------



## Cookiegal (Aug 27, 2003)

Go to *Start *- *Run *then copy and paste the following:

*regedit /e C:\look.txt " HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders"*

You won't see anything happen and it will only take a second. You will find the report it creates at C:\look.txt. Please open it in Notepad and then copy and paste the report here.


----------



## lyhipu9 (Aug 25, 2008)

I did what you said, more than once, but I can't find look.txt, even on Windows Search.


----------



## Cookiegal (Aug 27, 2003)

Did you look in your C drive?


----------



## lyhipu9 (Aug 25, 2008)

Ya, and nothing I can see changed as well.


----------



## Cookiegal (Aug 27, 2003)

Sorry, I failed to notice that I had inadvertenty inserted a space in the command so please try again but copy and past this command please:

*regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders"*


----------



## lyhipu9 (Aug 25, 2008)

That's ok. As long as you're helping me =). Anyways, here's the report:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SaslProfiles]
"GSSAPI"="Kerberos"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL]
"EventLogging"=dword:00000001

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\DES 56/56]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\NULL]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC2 128/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC2 40/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC2 56/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC4 128/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC4 40/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC4 56/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\Triple DES 168/168]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Hashes\MD5]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Hashes\SHA]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\PCT 1.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\PCT 1.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 2.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 2.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 3.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 3.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\TLS 1.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\TLS 1.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\WDigest]
"Lifetime"=dword:00008ca0
"Negotiate"=dword:00000000
"UTF8HTTP"=dword:00000001
"UTF8SASL"=dword:00000001


----------



## Cookiegal (Aug 27, 2003)

Are you sure that's the entire contents? There should be a line that comes before the beginning of what you posted.


----------



## lyhipu9 (Aug 25, 2008)

Oh, sorry about that. I don't know why, but it seems that I have accidentally skipped a few things (I was sure I used select all...). Heres the full report:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dllschannel.dlldigest.dllmsnsspc.dll"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SaslProfiles]
"GSSAPI"="Kerberos"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL]
"EventLogging"=dword:00000001

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\DES 56/56]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\NULL]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC2 128/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC2 40/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC2 56/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC4 128/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC4 40/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC4 56/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\Triple DES 168/168]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Hashes\MD5]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Hashes\SHA]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\PCT 1.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\PCT 1.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 2.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 2.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 3.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 3.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\TLS 1.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\TLS 1.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\WDigest]
"Lifetime"=dword:00008ca0
"Negotiate"=dword:00000000
"UTF8HTTP"=dword:00000001
"UTF8SASL"=dword:00000001


----------



## Cookiegal (Aug 27, 2003)

OK, that makes more sense. 

Please update MalwareBytes and allow it to download version 1.27. This is very important as there was a bug in the version I had you run that was discovered later and running a scan with the new version should fix it. So please run the scan and then post the log.


----------



## lyhipu9 (Aug 25, 2008)

Although it didn't make any noticeable difference (once again, other than restoring Help and Support on my Start menu, which I've edited), here's the log:

Malwarebytes' Anti-Malware 1.27
Database version: 1131
Windows 5.1.2600 Service Pack 3

08/09/2008 8:36:59 PM
mbam-log-2008-09-08 (20-36-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 83877
Time elapsed: 54 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dllschannel.dlldigest.dllmsnsspc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## Cookiegal (Aug 27, 2003)

That fixed the damaged registry key.

Please post a new HijackThis log.


----------



## lyhipu9 (Aug 25, 2008)

Ok here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:15 PM, on 10/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\ClipX\clipx.exe
C:\Program Files\D4\D4.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Documents and Settings\Jeff Liu\My Documents\TClock Lite\tclock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eBoostr\eBoostrCP.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\eBoostr\EBstrSvc.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Giganology\Gigaget\Gigaget.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [ClipX] C:\Program Files\ClipX\clipx.exe
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Gigaget] "C:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKCU\..\Run: [TClock Lite] C:\Documents and Settings\Jeff Liu\My Documents\TClock Lite\tclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NuonSoft Wallpaper Cycler] "C:\Program Files\NuonSoft\WallpaperCycler3\WallpaperCycler Lite.exe" 
O4 - Global Startup: eBoostr Control Panel.lnk = C:\Program Files\eBoostr\eBoostrCP.exe
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1214249873656
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: eBoostr Service (EBOOSTRSVC) - eBoostr.com - C:\Program Files\eBoostr\EBstrSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 5012 bytes


----------



## Cookiegal (Aug 27, 2003)

How are things now?


----------



## lyhipu9 (Aug 25, 2008)

Well, I grew tired of looking for a cure of this thing. Also my feeling of annoyance about this died down. Well I guess I'll just close it every time it pops up, just like the old days, when I was closing popups using IE6. Anyways, the Eboostr nag screen is worse, although it did speed up my pc a little... I can live with it. Thanks for everything, but I'm not gonna bother with asking for more help. You can still help me if you want.


----------



## Cookiegal (Aug 27, 2003)

I'd like to try a few more things before giving up if you're game. 

First, how many other users are there on this computer?

Go to *Start * *Run *- type *msconfig*  click OK and click on the *startup tab*. Uncheck everything there except for your anti-virus program. Then reboot and let me know if the problem persists please.


----------



## lyhipu9 (Aug 25, 2008)

Well, there was the Guest, and the default Administrator accounts, but I've disabled both, and deleted all the content of the Guest account is Document and Settings (problem appeared before that). Now there's only me, my family uses the other 2 computers, and a laptop. As for the reboot, I'll try it later, I want to be on my pc for the moment.


----------



## Cookiegal (Aug 27, 2003)

That's fine.


----------



## lyhipu9 (Aug 25, 2008)

Tried but, nothing changed, except that somehow, along the way, the errors that opens along with FF seem to only appear once after bootup (got lazy on testing them recently). Also, after restoring everything back in startup, and rebooting, the errors seem to have disappeared the first time I retested everything, but then reappeared as normal the second time (ones that opens with FF only appear once). Strange ...


----------



## Cookiegal (Aug 27, 2003)

Go into msconfig again and select the "services" tab and check hide Microsoft Services

Then try unchecking all the NON Microsoft services and reboot. See if it still happens.


----------



## lyhipu9 (Aug 25, 2008)

Sorry for the late reply, but Saturday was hell. The keyboard fell face flat (it was a japanese one, since I've broken my other one), and I don't know what it did, but my Firefox turned into into Lagzilla. Also a few of my add-ons got reinstalled, and the text wasn't right. I tried System Restore, but it didn't work [for some reason, I couldn't specify a date (probably keyboard's fault again)], but it did return me too my most recent one. Sigh, had to reinstall a clean Firefox, took a LONG time to get all my customizations back. Then there was homework, the next day >_>. Well, ultimately, I admit it was my fault (should've repaired my the sliding part of my desktop table properly), but that was one messed weekend. Anyways, I will try what you told me to do, but right now, I'm waiting for eBoostr to finish building the cache for the new 4gb flash drive my dad got for me [I've tried lot's of things (except adding RAM which is impossible unless I remove the original chips, also few chips work with my pc, because it's old) to speed up my computer, but this one seem to work best]. Also, one last question (please answer this one off-topic question instead of ignoring it like before), should I allocate it with my system memory? I'm not sure what good it will do for me, because my system memory is low (512mb total).

*Edit*
Sorry again for the tardiness, but I decided to get a new keyboard earlier on (tired of waiting for eBoostr), and got carried away afterwards... Anyways, it seems that all the errors that opens with Firefox are gone, service disabled or not. I think it's because of my clean reinstall. Well, only Gigaget left. Maybe i should reinstall it as well?


----------



## Cookiegal (Aug 27, 2003)

First of all, I've edited your post. Please be careful of your language.

Secondly, if it seems that I have "ignored" a question, it was not intentional and was probably overlooked. Now, unfortunately, I don't under the question so can you please elaborate?

Also, are you saying everything is fine now? That's not clear to me either.


----------



## lyhipu9 (Aug 25, 2008)

Ok, I will stop chatting and get down to business. Yes, every error related to Firefox seemed to be fine now (htm files, etc), probably because of my clean re-install. Now it seems there is only Gigaget, and Help and Support (which I do not need) left. Should I just try reinstalling Gigaget? As for my other question, I'm wondering if I should bother using my system memory as a cache device in Eboostr, I only have 512 mb total.

*Edit*
Now clicking Microsoft (Windows) update, the internet explorer shows up for no reason with a blank page... It even happens when I clearly have Firefox running. Now what do I do?


----------



## Cookiegal (Aug 27, 2003)

I wouldn't use Gigaget but it's your choice. Programs designed to make things faster usually don't have any significant enhancements.

Unfortunately, regarding your Eboostr memory cache question, I don't know the answer. You might want to ask about that in the the operating system forum or other software.

If you're getting a blank page when clicking on Windows Updates it's possible you aren't allowing the ActiveX control necessary to check for updates.


----------



## lyhipu9 (Aug 25, 2008)

Oh, but my ActiveX control does work properly, even in Firefox, courtesy of the IE tab add-on. About the Gigaget application, I use it since it does seem to be the fastest, and is free. Also it does enhance my download speed, up to 2-3 times (better than most others). I definitely don't need anything else in download managers other than the basics (so ones with more features aren't needed), and the little error isn't really that annoying.


----------



## Cookiegal (Aug 27, 2003)

Try this please:

In Internet Explorer go to Tools - Internet Options - Security - Custom Level.

Scroll down and check "enable" for the 'Allow META REFRESH' setting, if it is not already checked. 

Let me know how it goes please.


----------



## lyhipu9 (Aug 25, 2008)

It's already allowed though...


----------



## Cookiegal (Aug 27, 2003)

OK then try pasting this URL into your IE browser and see if it corrects the problem.

http://update.microsoft.com/windowsupdate/v6/


----------



## lyhipu9 (Aug 25, 2008)

it says it's currently unavailable, but it works fine in Firefox. *Double-Checks* Now it's working... *Opens Microsoft (Windows) update*. Still the same.


----------



## Cookiegal (Aug 27, 2003)

So when you paste that URL in Firefox it works.

When you paste it in IE does it work also?

And it's just when you click on Tools "Windows Updates" that it doesn't work?


----------



## lyhipu9 (Aug 25, 2008)

Ya.


----------



## Cookiegal (Aug 27, 2003)

Lets try this Automated Windows Update Fix.

Download *WUFix.zip* and unzip to your desktop.
Double-Click WUFix.bat to run fix.
You will see a window open and commands processing. When the window closes the fix will have completed.
Restart the computer.
This fix will clear the proxy cache, places Windows Update sites in the Trusted Zone, places Windows Update sites in the exception list of IE Popup Blocker, starts all dependent services, registers required DLLS, empties the Windows Update temporary folder (with backup), renames the catroot2 folder, retains update history and Event log, and deletes BITS pending download queue.

Then reboot and try Windows Updates again.

Also, you may have a wait a bit before the download appears. CastleCops is having trouble with their servers and is very slow but it should appear after about 30 second to a minute. I just wanted to forewarn you about that.


----------



## lyhipu9 (Aug 25, 2008)

Sorry, I kind of lost interest, and forgot about this. Also I had a bit of problem downloading WUFix.zip. Anyways, I ran it, but it didn't seem to do anything. Then later on, I recreated my *Guest* account (to ensure the privacy of my pc), but for some reason, explorer doesn't work there, except for the desktop. When I tried open any shortcuts that should be opened by Explorer, Search comes up out of nowhere. Even when something comes up in Search, you can't open it with Explorer o_o. Well, I really don't care that much about it (because I rarely have Guests), but it's a bit of problem, and will make people suspicious of me...


----------



## Cookiegal (Aug 27, 2003)

Well if you're losing interest then I find it hard to be interested.


----------



## lyhipu9 (Aug 25, 2008)

Well, please continue helping me for now. Also, I've kinda given up on the Gigaget one... but I'm still pretty interested is fixing the Windows Updates one, and especially the weird new Guest account one. I hope you'll agree. Lastly, good luck and many thanks on finding the solution.

Edit: Something else popped up >_>. Now, whenever I double click text documents, windows try to print them. This only happens if Notepad is the default program on opening .txt files. I think it happened around the time I uninstalled Taskbar Shuffle with Revo in Advanced mode. Currently, I am using Jarte my word processor to open these files, but Notepad opens them quicker.


----------



## Cookiegal (Aug 27, 2003)

I think you should start a new thread in the XP forum for assistance with those problems as that's not my area of expertise.


----------



## lyhipu9 (Aug 25, 2008)

Sure I'll do that.

*Edit*
Now the txt files problem is gone, dunno why though...


----------



## Cookiegal (Aug 27, 2003)

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.


----------

