# Mal/Generic-A problem



## trala (May 4, 2009)

I'm running webroot spysweeper on my computer (XP operating system) and it quaranteened something called "Mal/Generic-A problem" It is still in quaranteen , but my computer is running very slowly, and several days ago spysweeper kept intercepting various websites that my computer was trying to go to and webroot posted a message that it stopped it. That is not happening now, but the computer is just slow. Any help would be appreciated. I'm running AGV antivirus (free ware) and webroot spysweeper. Thanks in advance  Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:57:07 PM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Quark\QuarkXPress 6.0\QuarkXPress.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [DVDSentry] "C:\WINDOWS\System32\DSentry.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [TraySantaCruz] "C:\WINDOWS\SYSTEM32\tbctray.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
--
End of file - 8217 bytes


----------



## Cheeseball81 (Mar 3, 2004)

Download ComboFix from *Here* to your Desktop.

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this 
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns


----------



## trala (May 4, 2009)

Thank you for your response, hope i disabled everything ok. Here is the combo fix log:

ComboFix 09-05-05.02 - Philip 05/05/2009 13:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.249 [GMT -7:00]
Running from: c:\documents and settings\Philip\Desktop\Combo fix\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_003908_.tmp.dll
c:\windows\system32\_003909_.tmp.dll
c:\windows\system32\_003910_.tmp.dll
c:\windows\system32\_003911_.tmp.dll
c:\windows\system32\_003918_.tmp.dll
c:\windows\system32\_003919_.tmp.dll
c:\windows\system32\_003920_.tmp.dll
c:\windows\system32\_003921_.tmp.dll
c:\windows\system32\_003923_.tmp.dll
c:\windows\system32\_003924_.tmp.dll
c:\windows\system32\_003927_.tmp.dll
c:\windows\system32\_003928_.tmp.dll
c:\windows\system32\_003930_.tmp.dll
c:\windows\system32\_003931_.tmp.dll
c:\windows\system32\_003932_.tmp.dll
c:\windows\system32\_003934_.tmp.dll
c:\windows\system32\_003935_.tmp.dll
c:\windows\system32\_003937_.tmp.dll
c:\windows\system32\_003938_.tmp.dll
c:\windows\system32\_003942_.tmp.dll
c:\windows\system32\_003943_.tmp.dll
c:\windows\system32\_003945_.tmp.dll
c:\windows\system32\_003948_.tmp.dll
c:\windows\system32\_003950_.tmp.dll
c:\windows\system32\_003951_.tmp.dll
c:\windows\system32\_003952_.tmp.dll
c:\windows\system32\_003953_.tmp.dll
c:\windows\system32\_003954_.tmp.dll
c:\windows\system32\_003957_.tmp.dll
c:\windows\system32\_003958_.tmp.dll
c:\windows\system32\_003959_.tmp.dll
c:\windows\system32\_003960_.tmp.dll
c:\windows\system32\_003961_.tmp.dll
c:\windows\system32\_003966_.tmp.dll
c:\windows\system32\_003968_.tmp.dll
c:\windows\system32\_003969_.tmp.dll
c:\windows\system32\open.ico
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-04-16 15:04 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 15:04 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 15:04 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 15:04 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 15:04 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 15:04 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 15:04 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 15:04 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 15:04 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 15:04 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 15:03 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 15:03 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 15:10 . 2009-03-20 16:10 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-01 15:10 . 2009-03-20 16:10 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-01 15:09 . 2009-03-20 16:10 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-21 20:58 . 2006-01-06 19:18 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-02 14:25 . 2002-09-03 19:34 91071 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-03-20 16:09 . 2009-03-20 16:09 -------- d-----w c:\program files\AVG
2009-03-06 14:22 . 2002-08-29 11:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-24 03:32 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2009-04-02 04:26 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2009-04-02 04:26 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2009-04-02 04:26 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-04-17 07:28 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2009-04-02 04:25 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2009-04-02 04:25 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2009-04-02 04:25 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2009-04-02 04:25 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2002-08-29 11:00 35328 ----a-w c:\windows\system32\sc.exe
2006-12-16 17:12 . 2006-12-16 17:12 604 ---ha-w c:\program files\STLL Notifier
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-11-14 01:04 238968 ----a-w c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-15 28672]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2002-11-22 26112]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-02 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-16 98304]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-13 8466432]
"nwiz"="c:\windows\system32\nwiz.exe" [2007-08-13 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-13 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1947928]
"TraySantaCruz"="c:\windows\SYSTEM32\tbctray.exe" [2002-04-03 290816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-20 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-01 15:10 11952 ----a-w c:\windows\SYSTEM32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys [8/9/2008 2:42 PM 29808]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [3/20/2009 9:10 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [3/20/2009 9:10 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/20/2009 9:09 AM 298776]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [12/30/2008 2:19 PM 1086840]
R3 tbcspud;Santa Cruz Driver;c:\windows\SYSTEM32\DRIVERS\tbcspud.sys [12/31/1979 11:00 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\SYSTEM32\DRIVERS\tbcwdm.sys [12/31/1979 11:00 PM 545088]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [12/18/2008 10:36 AM 33752]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a1ffdab-87f3-11dc-9fc3-00c0a88f921c}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e676521-dc77-11d9-9c51-00038a000015}]
\Shell\AutoRun\command - i:\jdsecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder

2008-09-26 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 19:01]

2009-05-02 c:\windows\Tasks\RoxioUpdator.job
- c:\program files\Common Files\Roxio Shared\Autoupdater\autoupdater.exe [2004-05-14 05:45]

2009-05-01 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-07-12 01:11]

2009-05-01 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-07-12 01:11]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Dell|Alert - c:\program files\Dell\Support\Alert\bin\DAMon.exe
HKLM-Run-BJCFD - c:\program files\BroadJump\Client Foundation\CFD.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://cm.my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Philip\Application Data\Mozilla\Firefox\Profiles\ub3e3g06.default\
FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 14:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4060)
c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\SYSTEM32\LxrJD31s.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-05 14:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-05 21:10

Pre-Run: 68,855,664,640 bytes free
Post-Run: 68,942,897,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

207 --- E O F --- 2009-04-17 10:09

*
Here is the new hHijackThis log:*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:19 PM, on 5/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [DVDSentry] "C:\WINDOWS\System32\DSentry.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 6433 bytes

I did get an "exception processing message c0000013 parameter 75b6f7c 4 75b6f7c 75b6f7c " when the computer rebooted after combo fix. I told it to continue. I dont know if thats important.

Thanks


----------



## Cheeseball81 (Mar 3, 2004)

Please download Malwarebytes' Anti-Malware from *Here*.

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.*


----------



## trala (May 4, 2009)

I have not downloaded Malwarebytes anti malware yet. Do I *1) disable all my anti virus and mal ware programs before I run it?* Also, I ran webroot antivirus after I did combo fix and it found the following *"App/PsExec-Gen hack tool".* It seems to be related to Combo fix.exe that was put in a folder. I quarantined it. 2) *Should I delete it and then down load malware bytes?*

Please advise on both questions. Thanks


----------



## Cheeseball81 (Mar 3, 2004)

1. No, you should be able to run it without disabling anything.

2. That's a false positive. The tool is perfectly safe.


----------



## trala (May 4, 2009)

Hi Cheeseball81,

Here is the Malwarebytes log


Malwarebytes' Anti-Malware 1.36
Database version: 2096
Windows 5.1.2600 Service Pack 3

5/8/2009 2:29:18 PM
mbam-log-2009-05-08 (14-29-18).txt

Scan type: Quick Scan
Objects scanned: 82609
Time elapsed: 8 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks for your help!


----------



## Cheeseball81 (Mar 3, 2004)

You're welcome! Now post a new Hijack This log please.


----------



## trala (May 4, 2009)

Hello Cheeseball, Here is the Hijack this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:25 PM, on 5/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [DVDSentry] "C:\WINDOWS\System32\DSentry.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [TraySantaCruz] "C:\WINDOWS\SYSTEM32\tbctray.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 6654 bytes


----------



## Cheeseball81 (Mar 3, 2004)

How are things now?


----------



## trala (May 4, 2009)

Hi Cheeseball,

The computer is now acting normal!! I'm relieved to hear that webroot's SpySweeper quaranteen was a false positve. Should I delete these files out of spysweeper's Quaranteen, restore them, or does it matter? The quaranteened files are:

App/PsExec-gen (under this are three pathways that are quarnteened)

1) restore 987E0331-0f01-427C-A58A-7A2E4AABF8403RP12601A01123006.EXE
2) C:\Documents and settings|Deskrop\combo Fix\Combofix.exe
3) C:\Documents and Settings|Desktop\combo Fix\Combofix.exe

Can you advise me?

Thanks


----------



## Cheeseball81 (Mar 3, 2004)

I would delete the files from the quarantine, although they probably remain in there safely like a vault.

Go to to Start > Run
Type in box

*combofix /u*

Note: the space between the X and the /u

Press Enter.
This will uninstall ComboFix.

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer.

Turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

You can mark your thread "Solved" from the *Mark Solved* button.


----------



## trala (May 4, 2009)

Hello Cheeseball,

I tried the following as you suggested:

Go to to Start > Run
Type in box

*combofix /u*

Note: the space between the X and the /u

Press Enter.
This will uninstall ComboFix.

a message comes up saying windows cannot find combo fix

I did not try deleting the Spysweeper quaranteened files first (they are still quaranteened) . *I think combofix quaranteened some files. Wouldn't uninstalling combo fix make these quaranteened files go back in the computer? *Can you advise?

Thanks,

Trala


----------



## Cheeseball81 (Mar 3, 2004)

Maybe it can't find it because didn't your webroot antivirus quarantined it?


----------



## trala (May 4, 2009)

I think you are right. The three items Webroot quaranteened were:

1) restore 987E0331-0f01-427C-A58A-7A2E4AABF8403RP12601A01123006.EXE
2) C:\Documents and settings|Deskrop\combo Fix\Combofix.exe
3) C:\Documents and Settings|Desktop\combo Fix\Combofix.exe

*I'm still concerned that if i uninstall combo fix it will reinfect my computer with the files it quarantined. Malwarebytes didn't find anything when I ran it the first time, so I'm sure that what ever combo fix did, that was what fixed the computer. *

Any ideas?

thanks, Trala


----------



## Cheeseball81 (Mar 3, 2004)

The files should be in a folder called C:\backups
Can you locate it?


----------



## trala (May 4, 2009)

Hello Cheeseball,

Sorry for the delay in responding, I didn't realize there was a second page!! oops. *The computer is running slower again*. I'm wondering when Webroot spyspweeper quaranteened the combo fix files, maybee it allowied the malware to run again. Again, here is what webroot quaranteened:

1) restore 987E0331-0f01-427C-A58A-7A2E4AABF8403RP12601A01123006.EXE
2) C:\Documents and settings|Deskrop\combo Fix\Combofix.exe
3) C:\Documents and Settings|Desktop\combo Fix\Combofix.exe

If I allow webroot to restore these files wouldn't that make combo fix exe appear? I'm not sure what the first exe is (restore 987E0331-0f01-427C-A58A-7A2E4AABF8403RP12601A01123006.EXE) and if it is malware or not

I found these 2 folders and files under backups when I did a search (as well as backups for spybot and hijackthis):

1) C:\Qoobox\quarantine\registry_ backups\ HKLM_run-BJCFD.reg

2) C:\WINDOWS\SYSTEM32\ Reinstallbackups\driver files

Sorry for the overload of info. I'm not sure what to do next and what is important, since the computer is running slower again.

thanks for all your help

Trala


----------



## Cheeseball81 (Mar 3, 2004)

See if you can take ComboFix out of quarantine and run it again.

Also run this:

* *Click here* to download *ATF Cleaner* by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.

Under *Main* choose: *Select All*

Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*

Click the *Empty Selected* button.

*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.



*If you use Opera:*
Click *Opera* at the top and choose: *Select All*

Click the *Empty Selected* button.

*

[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.



Click *Exit* on the Main menu to close the program.


----------



## trala (May 4, 2009)

Hello Cheeseball,

Followed your instructions.

Restored all quaranteened files in Webroot Spyspweeper
Ran Combofix
Ran ATF

Here is the combofix log:

ComboFix 09-05-22.04 - Philip 05/22/2009 12:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.308 [GMT -7:00]
Running from: c:\documents and settings\Philip\Desktop\Combo fix\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {B3891867-7230-459B-9987-E7CCFA7A7D1D}
FW: Webroot Internet Security Essentials *disabled* {2DB6657C-B970-44d3-AB42-6325A913CCC2}
.

((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-19 16:00 . 2009-05-01 15:10 2051864 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-19 16:00 . 2009-05-01 15:09 354584 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-19 16:00 . 2009-05-01 15:09 424472 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-19 16:00 . 2009-05-01 15:08 177432 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-19 16:00 . 2009-05-01 15:08 312088 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-19 16:00 . 2009-05-01 15:09 3288344 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-19 16:00 . 2009-05-01 15:10 486168 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-19 15:59 . 2009-05-01 15:07 1437464 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-19 15:59 . 2009-05-01 15:07 755992 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-12 16:00 . 2009-05-01 15:10 2302232 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-12 16:00 . 2009-05-01 15:10 3399960 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-05-12 10:02 . 2009-03-11 05:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-05-12 10:02 . 2009-03-11 05:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-05-12 10:02 . 2009-05-12 10:02 -------- d-----w c:\windows\system32\KB905474
2009-05-08 21:18 . 2009-05-08 21:18 -------- d-----w c:\documents and settings\Philip\Application Data\Malwarebytes
2009-05-08 21:18 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-08 21:18 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-08 21:18 . 2009-05-08 21:18 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-08 21:18 . 2009-05-08 21:18 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 15:10 . 2009-03-20 16:10 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-01 15:10 . 2007-02-17 18:19 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-01 15:10 . 2009-03-20 16:10 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-01 15:09 . 2009-03-20 16:10 108552 ----a-w  c:\windows\system32\drivers\avgtdix.sys
2009-04-21 20:58 . 2006-01-06 19:18 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-02 14:25 . 2002-09-03 19:34 91071 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-03-06 14:22 . 2002-08-29 11:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-24 03:32 826368 ----a-w c:\windows\system32\wininet.dll
2006-12-16 17:12 . 2006-12-16 17:12 604 ---ha-w c:\program files\STLL Notifier
.

((((((((((((((((((((((((((((( [email protected]_21.05.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-30 21:25 . 2009-04-21 20:58 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-30 21:25 . 2009-05-09 15:31 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2002-09-03 19:45 . 2009-05-09 15:31 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2002-09-03 19:45 . 2009-04-21 20:58 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2002-09-03 19:45 . 2009-05-09 15:31 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2002-09-03 19:45 . 2009-04-21 20:58 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2009-05-05 21:00 . 2009-05-05 21:00 4922 c:\windows\temp\wrstemp\S-1-5-21-3146353498-973909072-2444282341-500.dat
+ 2009-05-05 21:17 . 2009-05-22 20:02 4922 c:\windows\temp\wrstemp\S-1-5-21-3146353498-973909072-2444282341-500.dat
- 2009-05-05 21:00 . 2009-05-05 21:05 5142 c:\windows\temp\wrstemp\S-1-5-21-3146353498-973909072-2444282341-1005.dat
+ 2009-05-05 21:17 . 2009-05-22 20:02 5142 c:\windows\temp\wrstemp\S-1-5-21-3146353498-973909072-2444282341-1005.dat
+ 2009-05-05 21:17 . 2009-05-22 20:02 4250 c:\windows\temp\wrstemp\S-1-5-20.dat
- 2009-05-05 21:00 . 2009-05-05 21:05 4250 c:\windows\temp\wrstemp\S-1-5-20.dat
- 2009-05-05 21:00 . 2009-05-05 21:05 4182 c:\windows\temp\wrstemp\S-1-5-19.dat
+ 2009-05-05 21:17 . 2009-05-22 20:02 4182 c:\windows\temp\wrstemp\S-1-5-19.dat
+ 2009-05-05 21:17 . 2009-05-22 20:02 3504 c:\windows\temp\wrstemp\S-1-5-18.dat
+ 2005-05-11 04:47 . 2009-05-07 07:16 24699336 c:\windows\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-11-14 01:04 238968 ----a-w c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-15 28672]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2002-11-22 26112]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-02 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-16 98304]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-13 8466432]
"nwiz"="c:\windows\system32\nwiz.exe" [2007-08-13 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-13 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1947928]
"TraySantaCruz"="c:\windows\SYSTEM32\tbctray.exe" [2002-04-03 290816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-20 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-01 15:10 11952 ----a-w c:\windows\SYSTEM32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys [8/9/2008 2:42 PM 29808]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [3/20/2009 9:10 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [3/20/2009 9:10 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/20/2009 9:09 AM 298776]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [12/30/2008 2:19 PM 1086840]
R3 tbcspud;Santa Cruz Driver;c:\windows\SYSTEM32\DRIVERS\tbcspud.sys [12/31/1979 11:00 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\SYSTEM32\DRIVERS\tbcwdm.sys [12/31/1979 11:00 PM 545088]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [12/18/2008 10:36 AM 33752]
.
Contents of the 'Scheduled Tasks' folder

2008-09-26 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 19:01]

2009-05-17 c:\windows\Tasks\RoxioUpdator.job
- c:\program files\Common Files\Roxio Shared\Autoupdater\autoupdater.exe [2004-05-14 05:45]

2009-05-12 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 05:18]

2009-05-22 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-07-12 01:11]

2009-05-22 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-07-12 01:11]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-AVG Anti-Spyware Driver
SafeBoot-procexp90.Sys
SafeBoot-AVG Anti-Spyware Guard
SafeBoot-svcWRSSSDK

.
------- Supplementary Scan -------
.
uStart Page = hxxp://cm.my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Philip\Application Data\Mozilla\Firefox\Profiles\ub3e3g06.default\
FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-22 13:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2856)
c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-22 13:05
ComboFix-quarantined-files.txt 2009-05-22 20:05
ComboFix2.txt 2009-05-05 21:10

Pre-Run: 68,652,273,664 bytes free
Post-Run: 68,631,400,448 bytes free

167 --- E O F --- 2009-05-13 10:10

Please not that combo fix was run first and log posted, then I ran ATF
I now have spysweeper and AVG disabled
The computer seems to be running normally. I think that this is where we got to when I ran spysweeper and it quanteened combofix. Is combofix quaranteening any files? (Just wondering what would happen if it was and I unistalled combofix:

How should I proceed from here?

thanks Trala

Trala


----------



## Cheeseball81 (Mar 3, 2004)

ComboFix looks good. If the system starts running slow again, it could be other things that are necessary. Like a disk defrag of the hard drive. Or possibly more memory.


----------



## trala (May 4, 2009)

Hello cheeseball,

I just got onto the computer today 5-23, and it was running slow again. Avg is deactivated as well as spysweeper. I then ran combofix again today, and now the computer is running fine again. (I defraged my hard drive a few days ago.) Combofix seems to be correcting whatever is slowing it down. I haven't used the computer at all between the two combofix runs that improved it. Any ideas?

Trala


----------



## Cheeseball81 (Mar 3, 2004)

I don't see ComboFix actually removing anything. So I don't see how it's making the problem go away temporarily. 
Does it run slow in general? On Startup/shutdown? while on the web?
How much RAM does it have?


----------



## trala (May 4, 2009)

Yesterday I disabled AVG and spysweeper, ran combofix and atf cleaner, the computer ran fine, I left it on and today it ran slowly. I think i may have found something that is a clue. I went into AVG, the resident shield was disabled (as you suggested). There was a message that read: Resident shield detection:

Trojan horse Downloader Generic_cAKX C:\Documents and settings\Philip\local settings\temporary internet

AVG ran a scan last night (only the resident sheld was deactivated) I think AVG might have picked this up last night and this might have something to do with the slow down.

Does this help?

Trala


----------



## Cheeseball81 (Mar 3, 2004)

Alittle. Something in temporary internet (files) is pretty harmless though.
You can easily clean those out with the ATF Cleaner. 
-Or-
Quit Internet Explorer and quit any instances of Windows Explorer. 
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK. 
Click OK.


----------



## trala (May 4, 2009)

Hello Cheeseball,

I got rid of the temp files as you suggested. Spy sweeper and AVG are still disabled and the computer has been running normally for several days now!! 

Should I un install combo fix so that spy sweeper doesn't pick it up as a hacker tool? Remember last time I ran Spy sweeper it quarantined combo fix. Thanks for your help.

Trala


----------



## Cheeseball81 (Mar 3, 2004)

Yes you can. 
And you're welcome.


----------

