Solved

I have multiple problems. thanks in advance!

Posted on 2008-10-29
37
846 Views
Last Modified: 2013-11-22
First, thank you to all who attempt to help me solve this bull___ problem.

i made a dumb move and hooked up my computer to my new residence. previously it had only been used at one other residence. upon connecting my wi-fi card and doing an itunes music download and checking my email, my desktop has gone black. it only displays colors, no more images as i fondly remember. furthermore it will occasionally display an outline around the screen, and in the upper left corner of the outline, it displays a small circle, triangle and square in a white box. now this outline is where my desktop image should be.

i have used one file by the name of "cleandesktop." (FROM HERE:"http://www.thespykiller.co.uk/downloads/cleandesktop.exe  it runs, says explorer.exe will now restart. it restores my wallpaper and when it restarts explorer.exe, my desktop goes black & imageless again. thats the closest i have come to solving that. something its doing fixes it, and then when explorer resets, its screwed up again.

my regedit command also responds with the error: "registry editing has been disabled by your administrator"

i have run avast, adaware, CA Anti-virus, smitfraudfix, AVG and an AOL spyware scan for the hell of it.
cant figure anything out and nothing is helping. at one point i was able to use regedit again but not anymore.

on a side note, before i get the chance to log onto windows... you know, put in your password and select your account... i get a box with wierd symbolistic text -- looks to be chinese or japanese. definately asian of some sort. somethings it has more lettering, sometimes less, but i can never get to my logon screen without hitting the OK button. and thats the only button on it by the way. i think this might be a virus or have something to do with finger.exe. it said finger.exe on it at one point in time.

just so you guys know: you wont say anything that will confuse me, i have been working with computer for years. the more help the better! I appreciate it, sincerely i do. as me for more info if you need it. this is my prized computer. i dont want to have to re-format. anything but that.

please help! thank you =)

-DarkPainter
0
Comment
Question by:Dark_Painter
  • 21
  • 9
  • 6
  • +1
37 Comments
 
LVL 26

Expert Comment

by:akahan
ID: 22838256
Boot into safe mode, and delete this file:

C:\WINDOWS\System32\finger.exe

Also go through your registry, and delete all references to finger.exe you find in there.

0
 

Author Comment

by:Dark_Painter
ID: 22838267
is that the answer to all my probelms? perhaps i neglected to mention that ive run several anti-virus/spyware programs, all of which, seem to detect various trojans & other malicious software. i will try your idea right now but i would like an answer to all of my questions aswell.

its very uncomfortable being voilate like this. i love this computer, i dont want to have to take drastic measures, you know? =(
0
 
LVL 26

Expert Comment

by:akahan
ID: 22838291
Can't say if it's the answer to ALL your problems, but it's likely the answer to at least one of them.
0
 
LVL 26

Assisted Solution

by:akahan
akahan earned 100 total points
ID: 22838302
If you're unable to use a registry editor because the permissions have been changed to prevent you from doing so, the RRT tool (available here:

 http://www.majorgeeks.com/RRT_Remove_Restrictions_Tool_d5635.html    )

 might help with that.
0
 

Author Comment

by:Dark_Painter
ID: 22838322
thank you akahan, long term remains to be seen but as for right now my registry is back up and accessable.


i may have forgotten to mention that programs in the foreground randomly close aswell.

thanks again to everyone helping. one step closer every time.
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 400 total points
ID: 22839279
A Hijackthis scan log would help to show what is going on on your pc.

Download here:

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Download the installer. Click on "Do a system scan and save a logfile". Post the scan log here via the "attach code snippet" box below.

0
 
LVL 8

Expert Comment

by:-Mystique-
ID: 22839328
Here are some online HJT Log readers too, and a freeware HJT reader that you can download.  I personally love the freeware HJT Log Reader, I've been using it for quite a  long time now.

Online hijack this log analyzers
http://hjt.networktechs.com/
http://www.hijackthis.de/
http://www.prevx.com/hijackthis.asp
http://www.help2go.com/component/detective/
http://www.2-spyware.com/hjt.php

FREEWARE HIJACK THIS READER
http://www.hollmen.dk/content/view/69/31/
This is the only Hijackthis log analyzer I've ever seen that you can DOWNLOAD and run to analyze HJT logs. And its FREEWARE.  I really like this reader.  It opens the analyzed logfiles in a browser window and gives you detailed information on everything in the log.  

http://www.majorgeeks.com/HijackReader_d5385.html
Hijack Reader can also be downloaded here, and the description here probably is more informative.
Here are some key features of "HijackReader":
· Automatically reads HijackThis logs
· Gives advice on what to fix
· Can output the report to text (txt) or web (html) format
· The web report includes a link, for quick Google searching, based on the object in question
· Requires no installation or DLL files. Does not write any settings to the registry or create any files, unless the user wants it to
· Completely portable. Can be run from a USB-flash drive, CD, etc.
· No internet connection required (unless you want to check things using the Google function)

AnVir Task Manager freeware version has HijackThis included in it and will run and save HJT logs in addition to performing other useful functions. (BTW Anvir Task Manager and Spybot S&D do not conflict with each other except that if you run S&D Tea Timer, you will have to give both Anvir AND TeaTimer permission to allow or deny changes anything tries to make to your system !
http://www.anvir.com/products.htm

To greatly help protect yourself after your system is clean, I advise you to install and use this freeware Hosts File Manager and this hostsfile:
Free hostfile manager
HostsMan
http://www.abelhadigital.com/
freeware hosts file manager and editor

Best free hostsfile list I've seen (available here)
Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

Using this hostsfile with HostsMan blocks not only malware but also blocks alot of annoying ads too.

Either Anvir task manager (link given above) or Spybot Search & Destroy with its real-time protection "Tea Timer" running, will protect you against any attempts to change startups, registry keys, homepage, etc by blocking the process and prompting you to allow or deny the change.

Spybot Search & Destroy as well as other useful freeware, is available here:
http://www.safer-networking.org/en/download/
0
 

Author Comment

by:Dark_Painter
ID: 22841555
heres my HJT log. i had forgotten about HJT its been so long since ive used this thing.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:49:34, on 10/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\PROGRA~1\COMMON~1\AOL\110539~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110539~1\EE\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\XP_Mods\Changer XP\ChangerXP.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wisptis.exe
C:\DOCUME~1\DARKPA~1\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: C:\WINDOWS\system32\ksaf83hfd.dll - {c5bf49a2-94f3-42bd-f434-3604812c897d} - C:\WINDOWS\system32\ksaf83hfd.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [service.exe] C:\WINDOWS\system32\service.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105391705\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [brastk] brastk.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu]  /L:ENG
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ksjf93orkekfniw73nfdd] C:\DOCUME~1\DARKPA~1\LOCALS~1\Temp\winlogen.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\DARKPA~1\LOCALS~1\Temp\csrssc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Changer XP.lnk = C:\XP_Mods\Changer XP\ChangerXP.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Dark Painter\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O22 - SharedTaskScheduler: lksdfj98w3rmsekfnaui3rgfdgf - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\ksaf83hfd.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: CaCCProvSP (caccprovsp) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FanSpeedNT Service - Unknown owner - C:\Documents and Settings\Dark Painter\Desktop\FanSpeed1_2_0\fanspeedNT.exe (file missing)
O23 - Service: hpdjaio - Unknown owner - C:\DOCUME~1\DARKPA~1\LOCALS~1\Temp\hpdjaio.exe (file missing)
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11315 bytes
0
 
LVL 26

Expert Comment

by:akahan
ID: 22841681
Your likely problems:

O4 - HKCU\..\Run: [ksjf93orkekfniw73nfdd] C:\DOCUME~1\DARKPA~1\LOCALS~1\Temp\winlogen.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\DARKPA~1\LOCALS~1\Temp\csrssc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersi on\Policies\System, DisableRegedit=1
O10 - Unknown file in Winsock LSP: xfire_lsp_1065 0.dll
O22 - SharedTaskScheduler: lksdfj98w3rmsekfnaui3r gfdgf - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\ksaf 83hfd.dll
O23 - Service: hpdjaio - Unknown owner - C:\DOCUM E~1\DARKPA~1\LOCALS~1\Temp\hpdjaio.exe (file miss ing)

0
 

Author Comment

by:Dark_Painter
ID: 22841868
akahan, before i attempt to "remove" my likely problems, how would i go about such a task?
furthermore, i have new information. when i woke up i had about 35 IEXPLORE windows open to odd sites, and my registry is disabling my access intermittently. i used some tools to re-enable it... now its denying my access again. sigh.
0
 
LVL 26

Expert Comment

by:akahan
ID: 22841972
The easiest thing to do is run a variety of Spyware removers...some of them get some things, others get other things.  A couple of these can be nailed with Spybot Search and Destroy.  

The bad registry entries can be deleted using regedit (during one of those moments when you have registry access....you can use RRT again to regain your registry access).

The files in your TEMP directory (winlogen.exe and csrssc.exe) can just be deleted.  If you have trouble deleting them (because they're "locked," or "in use"), you could download Malwarebytes (itself a pretty good -- and free -- Spyware scanner/remover) and use FileAssassin under its "More Tools" menu to delete those stubborn files.

0
 

Author Comment

by:Dark_Painter
ID: 22842358
running multiple scans now. from what i remember when i was more heavily involved in computers -- this shouldnt be such a bitch of a task. am i wrong, or is stuff like this always so tedious?

keep ideas coming please. this is a 500 pt question after all =)
0
 
LVL 23

Accepted Solution

by:
phototropic earned 400 total points
ID: 22842788
These are bad:

O2 - BHO: C:\WINDOWS\system32\ksaf83hfd.dll - {c5bf49a2-94f3-42bd-f434-3604812c897d} - C:\WINDOWS\system32\ksaf83hfd.dll
O4 - HKLM\..\Run: [brastk] brastk.exe
O4 - HKCU\..\Run: [ksjf93orkekfniw73nfdd] C:\DOCUME~1\DARKPA~1\LOCALS~1\Temp\winlogen.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\DARKPA~1\LOCALS~1\Temp\csrssc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O22 - SharedTaskScheduler: lksdfj98w3rmsekfnaui3rgfdgf - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\ksaf83hfd.dll
O23 - Service: hpdjaio - Unknown owner - C:\DOCUME~1\DARKPA~1\LOCALS~1\Temp\hpdjaio.exe (file missing)

I would recommend scanning with Malwarebytes' Antimalware:

http://www.malwarebytes.org/mbam.php

Download the trial version, update it fully, then click on "Perform a quick scan".  Show results then click on "remove selected". Post the log here.

I would also download lspfix:

http://cexx.org/lspfix.htm

Disconnect from the Internet, then unzip the file and click on the .exe.
Tick the "I know what I am doing" box, move all instances of 'xfire_lsp_10650.dll'  to the right "Remove" column. Click on "Finish". Reboot.
 
Good luck!!!
0
 

Author Comment

by:Dark_Painter
ID: 22846175
thanks Photo,

however i still have no desktop, and i have deleted this one file in particular multiple times:

"C:\windows\system32\drivers\47de5cef.sys"

attached is my own picture of my desktop with that funny box in the upper left corner. im convinced its a image error indication.

furthermore, avast feels compelled to request a preboot-scan and when i let it shut down, restart and scan before the logon screen -- i think it only removes one thing. its apparently a virus in the memory, atleast thats what it says.
desktop.JPG
0
 

Author Comment

by:Dark_Painter
ID: 22846186
forgot to say i will post a HJT log in a second.

also, i see my custom desktop image when shutting down, but no other time. i do miss it =(
0
 

Author Comment

by:Dark_Painter
ID: 22846297
theres the log. i had 3 "backups" in HJT and i deleted them so those are gone now?

here are my clusters of thoughts right now:

why is there a damn virus in my memory? why does the registry allow me access and then randomly disable it? why cant i start my windows firewalll? i never use it but i went to try and it says cannot start windows / ICS Firewall or something wierd.

if i didnt have 250+ gig of precious work, school, and memorabilia i might opt for a fresh install, but i would rather figure all this out with the rest of you guys. i do appreciate it. =)
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:52:06, on 10/30/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Belkin Bulldog Plus\upsd.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PRISMSVR.EXE

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\XP_Mods\Changer XP\ChangerXP.exe

C:\Program Files\Belkin Bulldog Plus\MUPS.exe

C:\Program Files\Dell Wireless\PRISMCFG.exe

C:\PROGRA~1\COMMON~1\AOL\110539~1\EE\AOLHOS~1.EXE

C:\Program Files\iTunes\iTunes.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\COMMON~1\AOL\110539~1\EE\AOLServiceHost.exe

C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Creative\SBAudigy2\Surround Mixer\Surmixer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [service.exe] C:\WINDOWS\system32\service.exe

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105391705\EE\AOLHostManager.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu]  /L:ENG

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Changer XP.lnk = C:\XP_Mods\Changer XP\ChangerXP.exe

O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe

O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Dark Painter\Start Menu\Programs\IMVU\Run IMVU.lnk

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)

O23 - Service: CaCCProvSP (caccprovsp) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: FanSpeedNT Service - Unknown owner - C:\Documents and Settings\Dark Painter\Desktop\FanSpeed1_2_0\fanspeedNT.exe (file missing)

O23 - Service: hpdjaio - Unknown owner - C:\DOCUME~1\DARKPA~1\LOCALS~1\Temp\hpdjaio.exe (file missing)

O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

--

End of file - 10466 bytes

Open in new window

0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 400 total points
ID: 22846679
OK. These are bad:
O4 - HKLM\..\Run: [service.exe] C:\WINDOWS\system32\service.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O23 - Service: hpdjaio - Unknown owner - C:\DOCUME~1\DARKPA~1\LOCALS~1\Temp\hpdjaio.exe (file missing)
Go into Services, find the hpdjaio service and stop it. Set it to "disabled".
Then run HJT again and fix the three entries above.

0
 

Author Comment

by:Dark_Painter
ID: 22846735
services... dont wanna go into the wrong area. thats msconfig right? im pretty sure but better safe than sorry. i also have a product called registry washer running right now. thoughts?

oh and i dont want to be rude so dont take offense to this, im purely curious: howcome you know those files are bad?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 26

Assisted Solution

by:akahan
akahan earned 100 total points
ID: 22846753
No, not msconfig.

To get into the services, press the Start button (lowerlefthandcorner of screen), select "run," and, in the box, type

services.msc

You'll get a list of services that run on your PC; from there, you can disable ones that you do NOT want to have running.  What you do here will survive rebooting.

0
 

Author Comment

by:Dark_Painter
ID: 22846777
update: the hpdjaio service is NOW disabled, but fyi, under msconfig it showed STOPPED. used both methods, unchecked it in msconfig & it was already disabled in services.msc

also, did you take a peek at my screenshot on my previous post?

thanks for the tip about services. ive used msconfig for years, thought that was the way to go.


0
 

Author Comment

by:Dark_Painter
ID: 22846795
registry washer supposedly fixed "1500-some" errors. fyi. rebooting. maybe something has changed and i will magically have my desktop image display when i login.
0
 

Author Comment

by:Dark_Painter
ID: 22846818
while i reboot please view this screenshot. the icon under the start button is one of the few windows icons i dont have knowledge of. i would appreciate the identification. thanks. be right back with what happens.
0
 

Author Comment

by:Dark_Painter
ID: 22846826
hah, should have included the picture. =P

desktop.JPG
0
 
LVL 23

Expert Comment

by:phototropic
ID: 22846836
Control Panel - Administrative Tools - Services. Find hpdjaio service, set it to "disabled" and stop it.
Although I've just noticed the "(file missing)", so it may not be listed. In which case you can just fix it with HJT.

http://www.prevx.com/filenames/1431278345653861201-X1/SERVICE.EXE.html
The 07 seems self-explanatory...
http://www.google.co.uk/search?hl=en&q=hpdjaio.exe&start=0&sa=N

Let's try Combofix.  Download and tutorial here:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please post the log here, along with a fresh HJT log after fixing the above entries.

It's nearly 1 am here in the UK...I'll check back in six or seven hours.
0
 

Author Comment

by:Dark_Painter
ID: 22847092
here is my combofix log, its inside the code snippet function.

here is something interesting i found. when i kill explorer.exe my desktop image returns. but when i start explorer.exe its gone and replaced with that image in my screenshots.

i am FAIRLY certain my virus issues have been resolved by now. i have 3+ spyware/malware/antivirus programs running. albeit free, they make me feel more comfortable.

i suppose now we focus on the desktop image issue, as that MAY be a virus. it started around the time i accumulated all the other crappy issues. THANK YOU AGAIN EVERYONE!

ComboFix 08-10-30.09 - Dark Painter 2008-10-30 18:32:39.1 - NTFSx86

Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.98 [GMT -7:00]

Running from: C:\Documents and Settings\Dark Painter\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Dark Painter\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

 * Created a new restore point

.
 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\Documents and Settings\Dark Painter\Local Settings\Temporary Internet Files\fbk.sts

C:\Documents and Settings\NetworkService\Application Data\twain_32

C:\Documents and Settings\NetworkService\Application Data\twain_32\user.ds

C:\WINDOWS\DelSelf.bat
 

.

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

-------\Legacy_NPF

-------\Service_NPF
 
 

(((((((((((((((((((((((((   Files Created from 2008-09-28 to 2008-10-31  )))))))))))))))))))))))))))))))

.
 

2008-10-30 16:19 . 2008-10-30 16:21	<DIR>	d--------	C:\Program Files\Registry Washer

2008-10-30 16:19 . 2000-01-24 06:01	2,023,424	--a------	C:\WINDOWS\SYSTEM32\vcl50.bpl

2008-10-30 16:19 . 2003-12-25 19:00	1,873,920	--a------	C:\WINDOWS\SYSTEM32\Rz30Ctls50.bpl

2008-10-30 16:19 . 2000-01-31 05:00	1,496,064	--a------	C:\WINDOWS\SYSTEM32\cc3250mt.dll

2008-10-30 16:19 . 2000-01-24 06:01	248,832	--a------	C:\WINDOWS\SYSTEM32\vclx50.bpl

2008-10-30 16:19 . 2000-01-30 22:00	147,456	--a------	C:\WINDOWS\SYSTEM32\Bcbsmp50.bpl

2008-10-30 16:19 . 2000-01-31 06:00	25,600	--a------	C:\WINDOWS\SYSTEM32\BORLNDMM.DLL

2008-10-30 08:31 . 2008-10-30 08:31	<DIR>	d--------	C:\Documents and Settings\Dark Painter\Application Data\Malwarebytes

2008-10-30 08:30 . 2008-10-30 08:30	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware

2008-10-30 08:30 . 2008-10-30 08:30	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-10-30 08:30 . 2008-10-22 16:10	38,496	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys

2008-10-30 08:30 . 2008-10-22 16:10	15,504	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys

2008-10-30 07:48 . 2008-10-30 07:48	<DIR>	d--------	C:\Program Files\Trend Micro

2008-10-29 22:40 . 2008-10-29 22:40	<DIR>	d--------	C:\Program Files\Alwil Software

2008-10-29 20:18 . 2008-10-29 20:18	<DIR>	d--------	C:\desktopclean

2008-10-29 14:37 . 2008-10-29 14:37	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Avg8

2008-10-29 14:32 . 2008-10-30 18:33	<DIR>	d--------	C:\WINDOWS\CAVTemp

2008-10-29 14:27 . 2008-10-29 14:27	<DIR>	d--------	C:\Program Files\CA

2008-10-29 14:27 . 2008-10-29 14:27	880,560	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys

2008-10-29 14:27 . 2008-09-19 15:47	111,856	--a------	C:\WINDOWS\SYSTEM32\isafprod.dll

2008-10-29 14:27 . 2008-10-29 14:27	108,368	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys

2008-10-29 14:27 . 2008-09-19 15:47	99,568	--a------	C:\WINDOWS\SYSTEM32\isafeif.dll

2008-10-29 14:27 . 2008-09-19 15:47	83,256	--a------	C:\WINDOWS\SYSTEM32\vetredir.dll

2008-10-29 14:27 . 2008-10-10 14:40	32,240	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys

2008-10-29 14:27 . 2008-10-10 14:40	26,352	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\vet-filt.sys

2008-10-29 14:27 . 2008-10-10 14:40	21,488	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\vetfddnt.sys

2008-10-29 14:27 . 2008-10-10 14:40	21,104	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\vet-rec.sys

2008-10-29 14:15 . 2008-10-29 14:15	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\CA

2008-10-29 12:17 . 2007-09-05 23:22	289,144	--a------	C:\WINDOWS\SYSTEM32\VCCLSID.exe

2008-10-29 12:17 . 2006-04-27 16:49	288,417	--a------	C:\WINDOWS\SYSTEM32\SrchSTS.exe

2008-10-29 12:17 . 2008-09-08 22:38	88,576	--a------	C:\WINDOWS\SYSTEM32\AntiXPVSTFix.exe

2008-10-29 12:17 . 2008-10-01 14:51	87,552	--a------	C:\WINDOWS\SYSTEM32\VACFix.exe

2008-10-29 12:17 . 2008-05-18 20:40	82,944	--a------	C:\WINDOWS\SYSTEM32\IEDFix.exe

2008-10-29 12:17 . 2008-08-18 11:19	82,432	--a------	C:\WINDOWS\SYSTEM32\404Fix.exe

2008-10-29 12:17 . 2004-07-31 17:50	51,200	--a------	C:\WINDOWS\SYSTEM32\dumphive.exe

2008-10-29 12:17 . 2007-10-03 23:36	25,600	--a------	C:\WINDOWS\SYSTEM32\WS2Fix.exe

2008-10-29 12:17 . 2008-10-29 12:24	1,674	--a------	C:\WINDOWS\SYSTEM32\tmp.reg

2008-10-29 12:16 . 2003-06-05 20:13	53,248	--a------	C:\WINDOWS\SYSTEM32\Process.exe

2008-10-29 03:21 . 2007-08-21 07:00	1,536	--a------	C:\WINDOWS\SYSTEM32\Delete_Me_Dummy_karna.dat

2008-10-29 02:12 . 	105,858		C:\WINDOWS\SYSTEM32\DRIVERS\47de5cef.sys

2008-10-29 02:12 . 2008-10-29 02:12	2	--a------	C:\-1202075105

2008-10-27 17:48 . 2008-10-27 17:48	<DIR>	d--------	C:\WINDOWS\SYSTEM32\CatRoot_bak

2008-10-27 17:46 . 2008-05-01 07:30	331,776	---------	C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
 

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-31 00:30	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP

2008-10-30 23:17	---------	d-----w	C:\Program Files\Memory Washer

2008-10-30 03:05	4,238,336	----a-w	C:\WINDOWS\SYSTEM32\CXUIHOST.EXE

2008-10-15 16:57	332,800	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\netapi32.dll

2008-09-15 11:57	1,846,016	----a-w	C:\WINDOWS\SYSTEM32\win32k.sys

2008-09-15 11:57	1,846,016	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys

2008-08-28 10:04	333,056	----a-w	C:\WINDOWS\system32\drivers\srv.sys

2008-08-28 10:04	333,056	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\srv.sys

2008-08-19 09:38	18,432	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe

2008-08-14 10:00	2,180,352	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\ntoskrnl.exe

2008-08-14 09:58	2,136,064	----a-w	C:\WINDOWS\SYSTEM32\ntoskrnl.exe

2008-08-14 09:58	2,136,064	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlmp.exe

2008-08-14 09:51	138,368	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys

2008-08-14 09:22	2,057,728	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlpa.exe

2008-08-14 09:22	2,015,744	----a-w	C:\WINDOWS\SYSTEM32\ntkrnlpa.exe

2008-08-14 09:22	2,015,744	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrpamp.exe

2008-07-07 20:32	253,952	----a-w	C:\WINDOWS\SYSTEM32\es.dll

2008-07-07 20:32	253,952	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll

.
 

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SB Audigy 2 Startup Menu"="/L:ENG" [X]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 122933]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]

"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 868352]

"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]

"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]

"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]

"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" [2006-10-18 8704]

"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]

"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]

"PRISMSVR.EXE"="C:\WINDOWS\system32\PRISMSVR.EXE" [2004-10-04 327769]

"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]

"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]

"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]

"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-09-29 222448]

"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-09-19 275696]

"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

"CTHelper"="CTHELPER.EXE" [2003-02-20 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]

"AsioReg"="CTASIO.DLL" [2003-02-20 C:\WINDOWS\SYSTEM32\CTASIO.DLL]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"NoActiveDesktopChanges"="00000000" [X]

"NoActiveDesktop"="0 (0x0)" [X]

"NoSaveSettings"="0 (0x0)" [X]

"ClassicShell"="0 (0x0)" [X]
 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-06 113664]

Changer XP.lnk - C:\XP_Mods\Changer XP\ChangerXP.exe [2003-07-21 1261568]

MUPS.lnk - C:\Program Files\Belkin Bulldog Plus\MUPS.exe [2004-12-21 49152]

Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [2006-11-30 917611]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoSimpleStartMenu"= 0 (0x0)
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="C:\\WINDOWS\\system32\\CXUIHOST.EXE"
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"hpdjaio"=2 (0x2)

"helpsvc"=2 (0x2)

"FastUserSwitchingCompatibility"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

"AOLService"=2 (0x2)
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Games\\Valve\\Steam\\Steam.exe"=

"C:\\Games\\Valve\\Steam\\SteamApps\\dark painter\\dedicated server\\hlds.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Games\\Valve\\Steam\\SteamApps\\dark painter\\counter-strike\\hl.exe"=

"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"C:\\Program Files\\America Online 9.0a\\waol.exe"=

"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"C:\\Program Files\\Common Files\\AOL\\1105391705\\EE\\AOLServiceHost.exe"=

"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=

"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=

"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"C:\\Games\\America's Army\\System\\ArmyOps.exe"=

"C:\\Games\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=

"C:\\Program Files\\AIM\\aim.exe"=

"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\WINDOWS\\system32\\services.exe"=
 

R1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswsp.sys [2008-07-19 78416]

R2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

R2 ccSchedulerSVC;CA Common Scheduler Service;C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe [2008-09-29 128240]

S1 avgldx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [ ]

S3 SoftFSB;SoftFSB;C:\Documents and Settings\Dark Painter\Desktop\SoftFSB.SYS [1999-12-13 2304]

S4 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE [2004-10-04 57344]

.

Contents of the 'Scheduled Tasks' folder
 

2008-06-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

.

.

------- Supplementary Scan -------

.

FireFox -: Profile - C:\Documents and Settings\Dark Painter\Application Data\Mozilla\Firefox\Profiles\7z4vah09.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official

.
 

**************************************************************************
 

disk not found C:\
 

please note that you need administrator rights to perform deep scan

scanning hidden processes ... 
 

scanning hidden autostart entries ...
 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

  NoActiveDesktopChanges = 3F 00 00 00 

  NoActiveDesktop = 63

  NoSaveSettings = 63

  ClassicShell = 63
 

scanning hidden files ... 
 

scan completed successfully

hidden files: 
 

**************************************************************************
 

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\47de5cef]

"ImagePath"="\SystemRoot\System32\drivers\47de5cef.sys"

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\SYSTEM32\ati2evxx.exe

C:\WINDOWS\SYSTEM32\ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe

C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE

C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe

C:\Program Files\Belkin Bulldog Plus\upsd.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\SYSTEM32\MsPMSPSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\SYSTEM32\wscntfy.exe

C:\WINDOWS\SYSTEM32\userinit.exe

.

**************************************************************************

.

Completion time: 2008-10-30 18:51:03 - machine was rebooted

ComboFix-quarantined-files.txt  2008-10-31 01:50:49
 

Pre-Run: 114,153,218,048 bytes free

Post-Run: 114,759,217,152 bytes free
 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /KERNEL=CXLOGO.EXE

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="(Backuped by Changer XP)Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
 

234	--- E O F ---	2008-10-29 10:06:33

Open in new window

0
 

Author Comment

by:Dark_Painter
ID: 22847207
oh, and IEXPLORE.exe, internet explorer, wont show images and shows the same mysterious icon thats on my desktop. hope that helps.

0
 

Author Comment

by:Dark_Painter
ID: 22847224
i checked the box under tools > internet options > advanced > multimedia > show pictures. after i ticked that, my desktop image re-appeared. i will sort out who gets what points in the morning before work. right now im glad stuff is fixed and i removed the crapware i found with all yalls help. thank you =)
0
 
LVL 23

Expert Comment

by:phototropic
ID: 22848505
OK. If you are satisfied that your pc is clean, you should uninstall Combofix.
Start - Run - combofix /u
This will uninstall the program.

You also have multiple anti-virus apps. loaded. Your HJT log showed CA; Avast; AVG; and traces of Symantec.
This could cause conflicts which will impact on system performance.  Please just have one av pp. installed.

0
 

Author Comment

by:Dark_Painter
ID: 22850755
have to go to work but i will be back later to update you guys with wierd stuff that may happen while im gone or sort out points. thanks again... i hope other people can use this information too =)
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 400 total points
ID: 22853626
Ok. I've had a chance to look at your Combofix log, and there is still some infection there.

If you still have Combofix on your desktop, please copy/paste the following into notepad
------------------------------------------------------------------------
File::
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\SYSTEM32\Delete_Me_Dummy_karna.dat
C:\WINDOWS\SYSTEM32\DRIVERS\47de5cef.sys
C:\-1202075105
C:\WINDOWS\SYSTEM32\CatRoot_bak

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\47de5cef]

--------------------------------------------------------------------

Save it as CFScript.txt to your desktop.
Drag the CFScript.txt into ComboFix.exe.
Combofix will restart.
When it is finished, please post the combofix log and a fresh Hijackthis scan log.

If you have already uninstalled Combofix, I would  run Smitfraudfix:

http://siri.geekstogo.com/SmitfraudFix.php

Run option 2 in safe mode.  Say Yes to registry cleaing. Please post the log plus a fresh HJT scan log.



0
 

Author Comment

by:Dark_Painter
ID: 22864204
my bad about the delay. here are the logs.

ComboFix log posted below. Running HJT now.

-----------------------ComboFix Dump
 

ComboFix 08-11-02.04 - Dark Painter 2008-11-02 17:15:16.2 - NTFSx86 NETWORK

Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.345 [GMT -8:00]

Running from: C:\Documents and Settings\Dark Painter\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Dark Painter\Desktop\CFScript.txt
 

FILE ::

C:\-1202075105

C:\WINDOWS\SYSTEM32\CatRoot_bak

C:\WINDOWS\SYSTEM32\Delete_Me_Dummy_karna.dat

C:\WINDOWS\SYSTEM32\DRIVERS\47de5cef.sys

C:\WINDOWS\system32\Process.exe

.
 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\-1202075105

C:\WINDOWS\SYSTEM32\Delete_Me_Dummy_karna.dat

C:\WINDOWS\SYSTEM32\DRIVERS\47de5cef.sys

C:\WINDOWS\system32\Process.exe
 

.

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

-------\Service_npf
 
 

(((((((((((((((((((((((((   Files Created from 2008-10-03 to 2008-11-03  )))))))))))))))))))))))))))))))

.
 

2008-10-30 23:35 . 2008-10-30 23:36	<DIR>	d--------	C:\Program Files\Net Tools

2008-10-30 23:35 . 2001-04-05 15:43	1,009,336	--a------	C:\WINDOWS\SYSTEM32\mschrt20.ocx

2008-10-30 23:35 . 2004-06-09 14:59	939,224	--a------	C:\WINDOWS\SYSTEM32\Flash.ocx

2008-10-30 23:35 . 2004-03-01 19:55	561,179	--a------	C:\WINDOWS\SYSTEM32\dao360.dll

2008-10-30 23:35 . 2003-03-19 01:03	544,768	--a------	C:\WINDOWS\SYSTEM32\msvcr71d.dll

2008-10-30 23:35 . 1998-06-17 23:00	299,008	--a------	C:\WINDOWS\SYSTEM32\MSDBRPTR.DLL

2008-10-30 23:35 . 1998-06-08 23:00	137,216	--a------	C:\WINDOWS\SYSTEM32\MSDERUN.DLL

2008-10-30 23:35 . 1998-06-23 23:00	103,744	--a------	C:\WINDOWS\SYSTEM32\MSCOMM32.OCX

2008-10-30 23:35 . 2004-08-04 03:21	81,920	--a------	C:\WINDOWS\SYSTEM32\msado25.tlb

2008-10-30 23:35 . 2001-09-07 12:00	61,440	--a------	C:\WINDOWS\SYSTEM32\msado20.tlb

2008-10-30 23:35 . 2001-09-07 13:00	59,904	--a------	C:\WINDOWS\SYSTEM32\wbemdisp.tlb

2008-10-30 23:35 . 2003-01-29 16:50	10,348	--a------	C:\WINDOWS\SYSTEM32\SubclassingSink.tlb

2008-10-30 15:19 . 2008-10-30 15:21	<DIR>	d--------	C:\Program Files\Registry Washer

2008-10-30 15:19 . 2000-01-24 05:01	2,023,424	--a------	C:\WINDOWS\SYSTEM32\vcl50.bpl

2008-10-30 15:19 . 2003-12-25 18:00	1,873,920	--a------	C:\WINDOWS\SYSTEM32\Rz30Ctls50.bpl

2008-10-30 15:19 . 2000-01-31 04:00	1,496,064	--a------	C:\WINDOWS\SYSTEM32\cc3250mt.dll

2008-10-30 15:19 . 2000-01-24 05:01	248,832	--a------	C:\WINDOWS\SYSTEM32\vclx50.bpl

2008-10-30 15:19 . 2000-01-30 21:00	147,456	--a------	C:\WINDOWS\SYSTEM32\Bcbsmp50.bpl

2008-10-30 15:19 . 2000-01-31 05:00	25,600	--a------	C:\WINDOWS\SYSTEM32\BORLNDMM.DLL

2008-10-30 07:31 . 2008-10-30 07:31	<DIR>	d--------	C:\Documents and Settings\Dark Painter\Application Data\Malwarebytes

2008-10-30 07:30 . 2008-10-30 07:30	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware

2008-10-30 07:30 . 2008-10-30 07:30	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-10-30 07:30 . 2008-10-22 15:10	38,496	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys

2008-10-30 07:30 . 2008-10-22 15:10	15,504	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys

2008-10-30 06:48 . 2008-10-30 06:48	<DIR>	d--------	C:\Program Files\Trend Micro

2008-10-29 21:40 . 2008-10-29 21:40	<DIR>	d--------	C:\Program Files\Alwil Software

2008-10-29 19:18 . 2008-10-29 19:18	<DIR>	d--------	C:\desktopclean

2008-10-29 13:37 . 2008-10-29 13:37	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Avg8

2008-10-29 13:32 . 2008-11-02 17:09	<DIR>	d--------	C:\WINDOWS\CAVTemp

2008-10-29 13:27 . 2008-10-29 13:27	<DIR>	d--------	C:\Program Files\CA

2008-10-29 13:27 . 2008-10-29 13:27	880,560	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys

2008-10-29 13:27 . 2008-09-19 14:47	111,856	--a------	C:\WINDOWS\SYSTEM32\isafprod.dll

2008-10-29 13:27 . 2008-10-29 13:27	108,368	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys

2008-10-29 13:27 . 2008-09-19 14:47	99,568	--a------	C:\WINDOWS\SYSTEM32\isafeif.dll

2008-10-29 13:27 . 2008-09-19 14:47	83,256	--a------	C:\WINDOWS\SYSTEM32\vetredir.dll

2008-10-29 13:27 . 2008-10-10 13:40	32,240	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys

2008-10-29 13:27 . 2008-10-10 13:40	26,352	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\vet-filt.sys

2008-10-29 13:27 . 2008-10-10 13:40	21,488	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\vetfddnt.sys

2008-10-29 13:27 . 2008-10-10 13:40	21,104	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\vet-rec.sys

2008-10-29 13:15 . 2008-10-29 13:15	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\CA

2008-10-29 11:17 . 2007-09-05 22:22	289,144	--a------	C:\WINDOWS\SYSTEM32\VCCLSID.exe

2008-10-29 11:17 . 2006-04-27 15:49	288,417	--a------	C:\WINDOWS\SYSTEM32\SrchSTS.exe

2008-10-29 11:17 . 2008-09-08 21:38	88,576	--a------	C:\WINDOWS\SYSTEM32\AntiXPVSTFix.exe

2008-10-29 11:17 . 2008-10-01 13:51	87,552	--a------	C:\WINDOWS\SYSTEM32\VACFix.exe

2008-10-29 11:17 . 2008-05-18 19:40	82,944	--a------	C:\WINDOWS\SYSTEM32\IEDFix.exe

2008-10-29 11:17 . 2008-08-18 10:19	82,432	--a------	C:\WINDOWS\SYSTEM32\404Fix.exe

2008-10-29 11:17 . 2004-07-31 16:50	51,200	--a------	C:\WINDOWS\SYSTEM32\dumphive.exe

2008-10-29 11:17 . 2007-10-03 22:36	25,600	--a------	C:\WINDOWS\SYSTEM32\WS2Fix.exe

2008-10-29 11:17 . 2008-10-29 11:24	1,674	--a------	C:\WINDOWS\SYSTEM32\tmp.reg

2008-10-27 16:48 . 2008-10-27 16:48	<DIR>	d--------	C:\WINDOWS\SYSTEM32\CatRoot_bak

2008-10-27 16:46 . 2008-05-01 06:30	331,776	---------	C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
 

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-31 07:36	---------	d-----w	C:\Program Files\WinPcap

2008-10-31 00:30	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP

2008-10-30 23:17	---------	d-----w	C:\Program Files\Memory Washer

2008-10-30 03:05	4,238,336	----a-w	C:\WINDOWS\SYSTEM32\CXUIHOST.EXE

2008-10-15 16:57	332,800	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\netapi32.dll

2008-09-15 11:57	1,846,016	----a-w	C:\WINDOWS\SYSTEM32\win32k.sys

2008-09-15 11:57	1,846,016	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys

2008-08-28 10:04	333,056	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\srv.sys

2008-08-19 09:38	18,432	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe

2008-08-14 10:00	2,180,352	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\ntoskrnl.exe

2008-08-14 09:58	2,136,064	----a-w	C:\WINDOWS\SYSTEM32\ntoskrnl.exe

2008-08-14 09:58	2,136,064	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlmp.exe

2008-08-14 09:51	138,368	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys

2008-08-14 09:22	2,057,728	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlpa.exe

2008-08-14 09:22	2,015,744	----a-w	C:\WINDOWS\SYSTEM32\ntkrnlpa.exe

2008-08-14 09:22	2,015,744	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrpamp.exe

.
 

(((((((((((((((((((((((((((((   snapshot@2008-10-30_18.49.53.65   )))))))))))))))))))))))))))))))))))))))))

.

- 2005-10-21 03:02:28	163,328	----a-w	C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE

+ 2005-10-21 04:02:28	163,328	----a-w	C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE

- 2005-10-21 03:02:28	163,328	----a-w	C:\WINDOWS\ERDNT\subs\ERDNT.EXE

+ 2005-10-21 04:02:28	163,328	----a-w	C:\WINDOWS\ERDNT\subs\ERDNT.EXE

- 2000-08-31 15:00:00	28,672	----a-w	C:\WINDOWS\NIRCMD.exe

+ 2000-08-31 16:00:00	28,672	----a-w	C:\WINDOWS\NIRCMD.exe

- 2000-08-31 15:00:00	161,792	----a-w	C:\WINDOWS\SWREG.exe

+ 2000-08-31 16:00:00	161,792	----a-w	C:\WINDOWS\SWREG.exe

+ 2001-11-27 07:13:00	114,688	----a-w	C:\WINDOWS\SYSTEM32\CCGNU32.dll

+ 2004-02-27 07:00:00	962,612	----a-w	C:\WINDOWS\SYSTEM32\MFC42D.DLL

+ 2004-02-27 07:00:00	61,493	----a-w	C:\WINDOWS\SYSTEM32\MFCN42D.DLL

+ 2004-02-17 07:00:00	434,252	----a-w	C:\WINDOWS\SYSTEM32\MSVCRTD.DLL

+ 2006-06-24 04:38:14	452,096	----a-w	C:\WINDOWS\SYSTEM32\nmap.exe

+ 2002-11-21 01:06:46	290,816	----a-w	C:\WINDOWS\SYSTEM32\nmapserv.exe

+ 2002-11-21 02:44:16	77,824	----a-w	C:\WINDOWS\SYSTEM32\nmapwin.exe

- 2008-05-18 00:43:11	64,200	----a-w	C:\WINDOWS\SYSTEM32\PERFC009.DAT

+ 2008-11-03 01:16:18	64,200	----a-w	C:\WINDOWS\SYSTEM32\PERFC009.DAT

- 2008-05-18 00:43:11	407,670	----a-w	C:\WINDOWS\SYSTEM32\PERFH009.DAT

+ 2008-11-03 01:16:18	407,670	----a-w	C:\WINDOWS\SYSTEM32\PERFH009.DAT

- 2000-07-15 14:00:00	101,888	----a-w	C:\WINDOWS\SYSTEM32\VB6STKIT.DLL

+ 1999-03-26 10:00:00	101,888	----a-w	C:\WINDOWS\SYSTEM32\VB6STKIT.DLL

+ 2008-11-03 01:22:41	16,384	----atw	C:\WINDOWS\temp\Perflib_Perfdata_62c.dat

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SB Audigy 2 Startup Menu"="/L:ENG" [X]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-14 122933]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]

"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 868352]

"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]

"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]

"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]

"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" [2006-10-18 8704]

"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]

"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 110592]

"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]

"PRISMSVR.EXE"="C:\WINDOWS\system32\PRISMSVR.EXE" [2004-10-04 327769]

"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]

"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]

"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]

"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-09-29 222448]

"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-09-19 275696]

"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

"CTHelper"="CTHELPER.EXE" [2003-02-20 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]

"AsioReg"="CTASIO.DLL" [2003-02-20 C:\WINDOWS\SYSTEM32\CTASIO.DLL]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"NoActiveDesktopChanges"="00000000" [X]

"NoActiveDesktop"="0 (0x0)" [X]

"NoSaveSettings"="0 (0x0)" [X]

"ClassicShell"="0 (0x0)" [X]
 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-06 113664]

Changer XP.lnk - C:\XP_Mods\Changer XP\ChangerXP.exe [2003-07-21 1261568]

MUPS.lnk - C:\Program Files\Belkin Bulldog Plus\MUPS.exe [2004-12-21 49152]

Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [2006-11-30 917611]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoSimpleStartMenu"= 0 (0x0)
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="C:\\WINDOWS\\system32\\CXUIHOST.EXE"
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"hpdjaio"=2 (0x2)

"helpsvc"=2 (0x2)

"FastUserSwitchingCompatibility"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

"AOLService"=2 (0x2)
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Games\\Valve\\Steam\\Steam.exe"=

"C:\\Games\\Valve\\Steam\\SteamApps\\dark painter\\dedicated server\\hlds.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Games\\Valve\\Steam\\SteamApps\\dark painter\\counter-strike\\hl.exe"=

"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"C:\\Program Files\\America Online 9.0a\\waol.exe"=

"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"C:\\Program Files\\Common Files\\AOL\\1105391705\\EE\\AOLServiceHost.exe"=

"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=

"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=

"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"C:\\Games\\America's Army\\System\\ArmyOps.exe"=

"C:\\Games\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=

"C:\\Program Files\\AIM\\aim.exe"=

"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\WINDOWS\\system32\\services.exe"=
 

R1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswsp.sys [2008-07-19 78416]

R2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

R2 ccSchedulerSVC;CA Common Scheduler Service;C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe [2008-09-29 128240]

S1 47de5cef;47de5cef;C:\WINDOWS\system32\drivers\47de5cef.sys [ ]

S1 avgldx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [ ]

S3 SoftFSB;SoftFSB;C:\Documents and Settings\Dark Painter\Desktop\SoftFSB.SYS [1999-12-13 2304]

S4 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE [2004-10-04 57344]

.

Contents of the 'Scheduled Tasks' folder
 

2008-10-31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

.
 

**************************************************************************
 

disk not found C:\
 

please note that you need administrator rights to perform deep scan

scanning hidden processes ... 
 

scanning hidden autostart entries ...
 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

  NoActiveDesktopChanges = 3F 00 00 00 

  NoActiveDesktop = 63

  NoSaveSettings = 63

  ClassicShell = 63
 

scanning hidden files ... 
 

scan completed successfully

hidden files: 
 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\SYSTEM32\ati2evxx.exe

C:\WINDOWS\SYSTEM32\ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe

C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE

C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe

C:\Program Files\Belkin Bulldog Plus\upsd.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\SYSTEM32\MsPMSPSv.exe

C:\WINDOWS\SYSTEM32\userinit.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

.

**************************************************************************

.

Completion time: 2008-11-02 17:28:05 - machine was rebooted

ComboFix-quarantined-files.txt  2008-11-03 01:27:50

ComboFix2.txt  2008-10-31 01:51:05
 

Pre-Run: 113,367,085,056 bytes free

Post-Run: 114,667,716,608 bytes free
 

254	--- E O F ---	2008-10-29 10:06:33

Open in new window

0
 

Author Comment

by:Dark_Painter
ID: 22864231
and... HJT.

on a side note, explorer.exe no longer starts after login. related issue? happened after combofix. on the other hand -- i dont really mind running explorer.exe from the task manager every login.
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:41:29, on 11/2/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Belkin Bulldog Plus\upsd.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\system32\PRISMSVR.EXE

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\XP_Mods\Changer XP\ChangerXP.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu]  /L:ENG

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Changer XP.lnk = C:\XP_Mods\Changer XP\ChangerXP.exe

O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe

O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - ALWIL Software - (no file)

O23 - Service: CaCCProvSP (caccprovsp) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

--

End of file - 7575 bytes

Open in new window

0
 
LVL 23

Expert Comment

by:phototropic
ID: 22865184
OK. Your HJT log looks clean.

You should uninstall Combofix.
Start - Run - combofix /u
This will uninstall the program.

You also have multiple anti-virus apps. loaded. Your HJT log showed CA; Avast; AVG; and traces of Symantec.
This could cause conflicts which will impact on system performance.  Please just have one av pp. installed.



0
 

Author Comment

by:Dark_Painter
ID: 22869397
thanks everyone. just one final question and then i will distribute points. which AV/spyware app should i trust if i should only run one?
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 400 total points
ID: 22873151
You should only run one AV. Personally I run AVG 8.0, which is good and also free.

You can run as many anti-spyware apps as you like.
Malwarebytes' Antimalware is the most comprehensive app. at the momment.
Closely followed by Superantispyware:

http://www.superantispyware.com/download.html

I also use Cleanup to regularly purge the temp. file cache:

http://www.stevengould.org/index.php?option=com_content&task=view&id=29&Itemid=223

0
 

Author Closing Comment

by:Dark_Painter
ID: 31511553
Thank you again to all who participated in my computers recovery. you are all always here when i need you. hopefully i wont be seeing yall any time soon =)
0
 
LVL 23

Expert Comment

by:phototropic
ID: 22875224
Glad your problem is resolved.

Thanks for the points and grade.

0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now