Could this HJT log be checked please.

Home » Windows & System Security » HiJack This Logs » Could this HJT log be checked please.

Rate Topic

Display Mode

Topic Options

Author

Message

noels7

Posted 7/12/2008 6:15 AM

New Member

Group: Forum Members
Last Login: 8/8/2008 6:32 PM
Posts: 63, Visits: 1,516

Have inherited this computer from a friend to fix and basically get running smoothly. The computer is an Intel E6850 with 3gig of ram, 8800 ultra video with Win xp including SP3.

I have been through the registry, updated all security and generally cleaned up the machine and ensured all updates applied.. No problems have been found but I have basically the same specs on my computer.

This machine is so slow when booting up (although only 8 items are in start-config. Response on simple tasks is again slow. In general this machine resembles a Pentium 3 in operation.

Hopefully HJT log when interpreted can shed some light on what might be the problem.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:44 PM, on 12/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32vsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\Photodex\ProShow\ScsiAccess.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Soft4Ever\looknstop\looknstop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe
C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CleanCache 3.0\CleanCache.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\jv16 PowerTools 2007\jv16PT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\slrundll.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abc.net.au/news/justin/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: CleanCache3.lnk = C:\Program Files\CleanCache 3.0\CleanCache.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F63EC1F9-562F-455C-9DDE-D312759A0B26}: NameServer = 203.0.178.191
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32vsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: PD91VMDefrag - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91VMDefrag.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShow\ScsiAccess.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6080 bytes

Your assistance and or advise would be appreciated.

Regards

noels7

Post #242407

RichieUK

Posted 7/12/2008 6:17 AM

Senior Forum Moderator

Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 29,518, Visits: 54,734

Hi noels7

If you have previously downloaded ComboFix,please delete that version now.
Download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop
Close any open browsers.
Click on Start/Run,copy and paste the following bold text into the 'Open:' space,then press OK [See image below]:
"%userprofile%\desktop\combofix.exe" /killall

Combofix.exe will start,please follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.
Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and download Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.

_______________________________________________

ASAP & UNITE member since 2006

Post #242408

noels7

Posted 7/12/2008 7:11 AM

New Member

Group: Forum Members
Last Login: 8/8/2008 6:32 PM
Posts: 63, Visits: 1,516

Richie

As requested

ComboFix 08-07-11.1 - Administrator 2008-07-12 21:21:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2711 [GMT 9.5:30]
Running from: C:\Documents and Settings\Administrator\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\ssprs.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.

2008-07-12 17:45 . 2008-07-12 17:45 <DIR> d-------- C:\Program Files\Avira
2008-07-12 17:45 . 2008-07-12 17:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-12 14:29 . 2008-07-12 14:29 <DIR> d-------- C:\Program Files\FS Water Configurator
2008-07-12 11:44 . 2008-07-12 11:44 <DIR> d-------- C:\WINDOWS\Logs
2008-07-12 11:44 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-07-12 11:44 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-07-12 11:44 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-07-12 11:44 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-07-12 11:44 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-07-12 11:44 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-07-12 11:44 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-07-12 11:33 . 2008-07-12 11:33 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-07-12 11:28 . 2008-07-12 11:28 <DIR> d-------- C:\Program Files\Java
2008-07-12 11:28 . 2008-07-12 11:28 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-12 11:28 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-12 11:23 . 2008-07-12 15:58 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-12 10:17 . 2008-06-20 21:21 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-07-12 10:17 . 2008-06-21 03:16 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-07-12 10:17 . 2008-06-20 20:38 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-07-12 10:17 . 2008-06-21 03:16 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-07-12 10:17 . 2008-06-20 21:10 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-18 13:34 . 2008-06-13 20:35 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 18:12 . 2008-05-08 23:32 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 11:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MailWasherPro
2008-07-12 06:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 05:53 --------- d-----w C:\Program Files\Microsoft Games
2008-07-12 03:11 --------- d-----w C:\Program Files\Ground Environment X
2008-07-12 02:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-25 05:29 --------- d-----w C:\Program Files\PocoMail4
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-02 03:20 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-04-13 20:12 69,120 ----a-w C:\WINDOWSotepad.exe
2008-04-13 20:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-13 20:12 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll
2008-04-13 20:12 33,280 ----a-w C:\WINDOWS\Help\sstub.dll
2008-04-13 20:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-13 20:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-13 20:12 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll
2008-04-13 20:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-13 20:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-13 20:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-13 20:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-13 20:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-13 20:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-13 20:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-13 20:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-13 20:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2007-11-10 21:21 61 -csh--w C:\WINDOWS\cnerolf.bin
2008-01-26 03:42 61 --sh--w C:\WINDOWS\cnerolf.dat
2007-10-30 08:51 23 -csha-w C:\WINDOWS\system32\cbeeeafd5_r.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Look 'n' Stop"="C:\Program Files\Soft4Ever\looknstop\looknstop.exe" [2007-10-30 19:41 512070]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe" [2007-12-27 11:22 6731312]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-02-07 19:10 13500416]
"BOC-426"="C:\PROGRA~1\Comodo\CBOClean\BOC426.exe" [2008-04-10 18:38 348408]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 17:38 16380416 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 05:42 15360]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
CleanCache3.lnk - C:\Program Files\CleanCache 3.0\CleanCache.exe [2007-10-30 17:41:16 655360]
MailWasherPro.lnk - C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe [2007-10-30 19:30:51 16485023]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=

R1 lnsfw1;lnsfw1;C:\WINDOWS\system32\drivers\lnsfw1.sys [2007-10-30 19:41]
R2 PD91Agent;PD91Agent;C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-02-28 09:44]
R3 rxpvbus;Reality XP Avionics Bus Driver;C:\WINDOWS\system32\DRIVERS\rxpvbus.sys [2005-08-28 20:04]
S3 PD91Engine;PD91Engine;C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-02-29 13:08]
S3 PD91VMDefrag;PD91VMDefrag;C:\Program Files\Raxco\PerfectDisk2008\PD91VMDefrag.exe [2008-02-29 09:44]

.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 21:25:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\CBOClean\BOCore.exe
C:\WINDOWS\system32vsvc32.exe
C:\Program Files\Photodex\ProShow\scsiaccess.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Comodo\CBOClean\boc426.exe
.
**************************************************************************
.
Completion time: 2008-07-12 21:28:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-12 11:58:26

Pre-Run: 81,052,405,760 bytes free
Post-Run: 81,036,062,720 bytes free

134 --- E O F --- 2008-07-12 02:57:41

------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:30, on 2008-07-12
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32vsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\Photodex\ProShow\ScsiAccess.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Soft4Ever\looknstop\looknstop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe
C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CleanCache 3.0\CleanCache.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32otepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abc.net.au/news/justin/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: CleanCache3.lnk = C:\Program Files\CleanCache 3.0\CleanCache.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32vsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: PD91VMDefrag - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91VMDefrag.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShow\ScsiAccess.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5796 bytes

Regards

noels7

Post #242410

RichieUK

Posted 7/12/2008 8:04 AM

Senior Forum Moderator

Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 29,518, Visits: 54,734

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy ALL the text inside the code box below to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

[kill explorer]
C:\WINDOWS\system32\cbeeeafd5_r.dll
[start explorer]

Return to OTMoveIt, right click on the "Paste List of Files/Folders to Move" window under the "yellow" bar,and choose Paste,see image below:

Click on the Moveit! button

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt by clicking on the "Exit" button.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press OK [see image below]
This will uninstall Combofix,delete its related folders and files,reset your clock settings,hide file extensions,hide the system/hidden files and resets System Restore.

Please double-click OTMoveIt.exe again to run it.
Click on the 'Cleanup' button

When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Please download Malwarebytes Anti-Malware:
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.
(If using Windows Vista,be sure to "Run As Administrator").

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Run F-Secure Online Scanner.
Note:
This scanner is for Internet Explorer only.
* Click on Online Services and then Online Scanner.
* Accept the License Agreement.
* Once the ActiveX installs,click Full System Scan.
* Once the download completes,the scan will begin automatically.
* The scan will take some time to finish,so please be patient.
* When the scan completes, click the Automatic cleaning (recommended) button.
* Click the Show Report button then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now please.

_______________________________________________

ASAP & UNITE member since 2006

Post #242411

noels7

Posted 7/12/2008 4:40 PM

New Member

Group: Forum Members
Last Login: 8/8/2008 6:32 PM
Posts: 63, Visits: 1,516

Richie

Before I submit logs as requested I should advise of the following:

1. Was unable to get FSecure online scan to work on this computer. Am in in the process of downloading 26mgs+ of updated virus defs to enable Kaspersky online scan. Gave up on download as 26+ just went to 40+.

2. My computer sitting along side of problem one is connected to cable. His computer is only able to be connected to run on dialup. Never thought I would ever see 1-2mg/sec download speeds in the modern world. Unbelieveable!

3. As I wait for Kaspersky downloads to finish (year 3020) hopefully, I have done a complete onboard scan using Avira as a precursor for Kaspersky and have included that scan log. Will provide Kaspersky log later if required.

4. Logs as requested:

Explorer killed successfully
LoadLibrary failed for C:\WINDOWS\system32\cbeeeafd5_r.dll
C:\WINDOWS\system32\cbeeeafd5_r.dll NOT unregistered.
C:\WINDOWS\system32\cbeeeafd5_r.dll moved successfully.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07132008_042108

-----------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.20
Database version: 942
Windows 5.1.2600 Service Pack 3

05:03:17 2008-07-13
mbam-log-7-13-2008 (05-03-17).txt

Scan type: Quick Scan
Objects scanned: 38885
Time elapsed: 1 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

----------------------------------------------------------------------------

Report file date: 2008-07-13 06:21

Scanning for 1419754 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode:        Normally booted
Username:         SYSTEM
Computer name:    OWNER-DDD62C774

Version information:
BUILD.DAT     : 8.1.00.295      16479 Bytes    4/9/2008 16:24:00
AVSCAN.EXE    : 8.1.2.12       311553 Bytes   3/18/2008 01:32:56
AVSCAN.DLL    : 8.1.1.0         53505 Bytes    2/7/2008 01:13:37
LUKE.DLL      : 8.1.2.9        151809 Bytes   2/28/2008 01:11:23
LUKERES.DLL   : 8.1.2.1         12033 Bytes   2/21/2008 00:58:40
ANTIVIR0.VDF : 6.40.0.0     11030528 Bytes   7/18/2007 03:03:34
ANTIVIR1.VDF : 7.0.5.1       8182784 Bytes   6/24/2008 08:58:44
ANTIVIR2.VDF : 7.0.5.86       547840 Bytes    7/9/2008 09:01:34
ANTIVIR3.VDF : 7.0.5.103      247296 Bytes   7/11/2008 09:02:50
Engineversion : 8.1.0.64
AEVDF.DLL     : 8.1.0.5        102772 Bytes   2/25/2008 02:28:21
AESCRIPT.DLL : 8.1.0.46       283002 Bytes   7/12/2008 09:11:19
AESCN.DLL     : 8.1.0.22       119157 Bytes   7/12/2008 09:10:44
AERDL.DLL     : 8.1.0.20       418165 Bytes   7/12/2008 09:10:25
AEPACK.DLL    : 8.1.1.6        364918 Bytes   7/12/2008 09:09:24
AEOFFICE.DLL : 8.1.0.20       192891 Bytes   7/12/2008 09:08:24
AEHEUR.DLL    : 8.1.0.35      1298806 Bytes   7/12/2008 09:07:54
AEHELP.DLL    : 8.1.0.15       115063 Bytes   7/12/2008 09:05:03
AEGEN.DLL     : 8.1.0.29       307573 Bytes   7/12/2008 09:04:46
AEEMU.DLL     : 8.1.0.6        430451 Bytes   7/12/2008 09:03:58
AECORE.DLL    : 8.1.0.32       168311 Bytes   7/12/2008 09:03:17
AVWINLL.DLL   : 1.0.0.7         14593 Bytes   1/23/2008 09:37:53
AVPREF.DLL    : 8.0.0.1         25857 Bytes   2/18/2008 03:07:50
AVREP.DLL     : 7.0.0.1        155688 Bytes   4/16/2007 05:56:47
AVREG.DLL     : 8.0.0.0         30977 Bytes   1/23/2008 09:37:49
AVARKT.DLL    : 1.0.0.23       307457 Bytes   2/12/2008 00:59:23
AVEVTLOG.DLL : 8.0.0.11       114945 Bytes   2/28/2008 01:01:31
SQLITE3.DLL   : 3.3.17.1       339968 Bytes   1/22/2008 09:58:02
SMTPLIB.DLL   : 1.2.0.19        28929 Bytes   1/23/2008 09:38:39
NETNT.DLL     : 8.0.0.1          7937 Bytes   1/25/2008 04:35:10
RCIMAGE.DLL   : 8.0.0.35      2371841 Bytes   3/10/2008 07:07:25
RCTEXT.DLL    : 8.0.32.0        86273 Bytes    3/6/2008 04:32:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: 2008-07-13 06:21

Starting search for hidden objects.
'45316' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'slrundll.exe' - '1' Module(s) have been scanned
Scan process 'MailWasher.exe' - '1' Module(s) have been scanned
Scan process 'CleanCache.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'boc426.exe' - '1' Module(s) have been scanned
Scan process '_avgas.exe' - '1' Module(s) have been scanned
Scan process 'looknstop.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'slserv.exe' - '1' Module(s) have been scanned
Scan process 'scsiaccess.exe' - '1' Module(s) have been scanned
Scan process 'PD91Agent.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'BOCore.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '0' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '20' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!

End of the scan: 2008-07-13 06:59
Used time: 37:23 min

The scan has been done completely.

   9688 Scanning directories
412914 Files were scanned
      0 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      0 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      1 Files cannot be scanned
412914 Files not concerned
   2069 Archives were scanned
      1 Warnings
      0 Notes
45316 Objects were scanned with rootkit scan
      0 Hidden objects were found

-----------------------------------------------------------------------------

Regards

noels7

Post #242442