0

Sup.

Every time I'm online, I get an error message something like this:

Microsoft Visual C++ Buffer Overrun Detected, something about internet Explorer.

What is your expert advice? It's driving me crazy and really starting to worry me.

Any help will be insanely appreciated.

Thanks

2
Contributors
6
Replies
7
Views
9 Years
Discussion Span
Last Post by MoralTerror
0

Hi xXxMikhailxXx and welcome to DaniWeb


Please download and install HijackThis . It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis.

  • Make sure you close down EVERY open window and close ALL browser windows. The only thing that should be open is the HijackThis program.
  • If it gives you an intro screen, just choose 'Do a system scan and save a log file'.
  • If not, run a scan and save the log file.
  • Copy the text file (Ctrl+A then Ctrl+C) and paste it (Ctrl+V) in your next reply
  • Do not fix any entries in HijackThis since they may be harmless.
  • Make sure to include the System information at the top of the log as well.
0

Not sure what system information to include?

Windows XP Professional SP2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:32:43 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BMef16c169] Rundll32.exe "C:\WINDOWS\system32\otkmtnfu.dll",s
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202306397031
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CA60241-BB42-4224-BB52-C5A02F349B72}: NameServer = 196.43.45.190 196.43.46.190

--
End of file - 3312 bytes


Does this have anything to do with my system, particularly my internet connection, running really, really slow - so slow that I can't get anything done?

Thanks :)

0

Hi xXxMikhailxXx

Yeah possibly. You are infected so we will clean you up then if symptons persist please let us know.

-----------------------

I see no evidence of an Anti-virus program on board. Please install update and run an Anti-virus (or if you do have 1 make sure it is enabled). Do not continue until the Antivirus problem has been resolved. Here are some links for anti-virus software.

AVG
Avast
BitDefender Free Edition v7.2

-----------------------

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If your not sure how to disable them then double-check against the list found >>>HERE<<< This list is not all inclusive, if your programs are not listed and you are unsure then please ask before continuing.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

0

I ended up formatting my drive completely to install a Windows Vista upgrade and it seems to be running pretty nice for now.

Thanks so much for yo help man, 'preciate it a lot.

0

Hi

I hope you're still around. Forget everything I said in my previous post, the problem is back. I can't even connect to most websites, that's how long it takes. It's messed up, man.

Here is the ComboFix log that I did earlier:

ComboFix 08-03-06.2 - Gucci 2008-03-07 13:06:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.233 [GMT 2:00]
Running from: D:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM5f0a4a6d.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bccdd.ini
C:\WINDOWS\system32\bccdd.ini2
C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\system32\fyluauhl.dll
C:\WINDOWS\system32\iifdddd.dll
C:\WINDOWS\system32\lhuaulyf.ini
C:\WINDOWS\system32\opnnnon.dll
C:\WINDOWS\system32\tuvsrpp.dll
C:\WINDOWS\system32\vephrrqr.dll
C:\WINDOWS\system32\wlsudeyq.dll
D:\aoadvdcopy.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-07 08:07 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-03-07 04:26 . 2008-03-07 04:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-07 00:02 . 2007-12-03 02:10 644,400 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-03-07 00:01 . 2008-03-07 00:03 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-03-06 23:58 . 2008-03-06 23:58 <DIR> d-------- C:\Program Files\MegauploadToolbar
2008-03-06 23:58 . 2008-03-07 12:15 <DIR> d-------- C:\Documents and Settings\Gucci\Application Data\MegauploadToolbar
2008-03-06 23:32 . 2008-03-06 23:32 <DIR> d-------- C:\Program Files\Webroot
2008-03-06 23:32 . 2008-03-06 23:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-06 23:32 . 2008-03-06 23:32 <DIR> d-------- C:\Documents and Settings\Gucci\Application Data\Webroot
2008-03-06 23:32 . 2008-03-06 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-06 23:32 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-03-06 23:32 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-03-06 23:32 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-03-06 23:32 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-03-06 23:32 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-03-06 23:14 . 2008-03-06 23:14 164 --a------ C:\install.dat
2008-03-06 22:43 . 2008-03-06 22:43 360,064 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-03-06 21:51 . 2008-03-06 21:51 <DIR> d-------- C:\Program Files\uTorrent
2008-03-06 21:51 . 2008-03-07 06:45 <DIR> d-------- C:\Documents and Settings\Gucci\Application Data\uTorrent
2008-03-06 16:02 . 2008-03-06 16:02 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-03-06 15:58 . 2008-03-06 16:53 <DIR> d-------- C:\Program Files\MSECACHE
2008-03-06 15:47 . 2008-03-06 16:44 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-03-06 14:44 . 2008-03-06 22:45 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-06 13:38 . 2008-03-06 15:43 <DIR> d-------- C:\Program Files\a-squared Free
2008-03-06 13:26 . 2008-03-06 13:26 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-03-06 13:22 . 2008-03-06 13:23 <DIR> d-------- C:\Program Files\RogueRemover
2008-03-06 12:30 . 2008-03-06 12:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-06 12:30 . 2008-03-06 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-06 09:39 . 2006-08-21 11:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-03-06 09:39 . 2006-08-21 11:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-03-06 09:39 . 2006-08-21 14:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-03-06 09:31 . 2008-03-06 09:31 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-06 05:23 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-03-06 05:04 . 2008-03-06 05:04 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-06 04:32 . 2008-03-06 04:32 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-06 04:10 . 2008-03-06 04:10 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-06 04:08 . 2008-03-06 04:10 <DIR> d-------- C:\WINDOWS\ShellNew
2008-03-06 03:44 . 2007-07-09 15:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-06 03:05 . 2007-12-18 11:51 179,584 -----c--- C:\WINDOWS\system32\dllcache\mrxdav.sys
2008-03-06 03:04 . 2006-10-19 15:56 713,216 -----c--- C:\WINDOWS\system32\dllcache\sxs.dll
2008-03-06 03:04 . 2007-03-17 15:43 292,864 -----c--- C:\WINDOWS\system32\dllcache\winsrv.dll
2008-03-06 03:04 . 2007-04-25 16:21 144,896 -----c--- C:\WINDOWS\system32\dllcache\schannel.dll
2008-03-06 02:39 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-06 02:39 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-06 02:37 . 2004-01-14 03:10 163,840 --a------ C:\WINDOWS\BJPSUNST.EXE
2008-03-06 02:35 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-03-06 02:31 . 2008-03-06 02:31 <DIR> d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-03-06 02:31 . 2008-03-06 02:31 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-03-06 02:31 . 2006-05-01 07:00 161,792 --a------ C:\WINDOWS\system32\CNMLM86.DLL
2008-03-06 02:30 . 2008-03-06 02:30 <DIR> d--h----- C:\Program Files\CanonBJ
2008-03-06 02:30 . 2008-03-06 02:45 <DIR> d-------- C:\Program Files\Canon
2008-03-06 02:03 . 2008-03-06 02:03 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-03-06 00:02 . 2008-03-06 00:02 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-05 23:52 . 2008-03-07 00:01 <DIR> d-------- C:\Program Files\Google
2008-03-05 23:24 . 2008-03-05 23:25 <DIR> d-------- C:\Documents and Settings\Gucci\Application Data\Download Manager
2008-03-05 22:50 . 2008-03-05 22:50 <DIR> d-------- C:\Documents and Settings\Gucci\Application Data\Corel
2008-03-05 22:50 . 2008-03-07 12:35 2,828 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-03-05 22:50 . 2008-03-05 22:50 8 -r-hs---- C:\Documents and Settings\All Users\Application Data\780903E28D.sys
2008-03-05 22:46 . 2008-03-05 22:46 <DIR> d-------- C:\Program Files\Common Files\Protexis
2008-03-05 22:46 . 2008-03-05 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-03-05 22:33 . 2008-03-05 22:33 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-03-05 22:31 . 2008-03-05 22:31 <DIR> d-------- C:\Program Files\Corel
2008-03-05 15:47 . 2008-03-05 15:47 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-05 15:45 . 2008-03-05 15:45 <DIR> d-------- C:\Program Files\Portrait Professional Max 6
2008-03-05 15:45 . 2008-03-05 15:45 <DIR> d-------- C:\Documents and Settings\Gucci\Application Data\Anthropics
2008-03-05 13:05 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-03-05 13:05 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-05 13:05 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-05 13:05 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-03-05 12:40 . 2008-03-05 12:40 <DIR> d-------- C:\Documents and Settings\Gucci\Application Data\Nero
2008-03-05 12:37 . 2008-03-05 12:37 <DIR> d-------- C:\Program Files\Nero
2008-03-05 12:37 . 2008-03-05 12:39 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-05 12:37 . 2008-03-05 12:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-05 12:28 . 2008-03-05 12:28 <DIR> d-------- C:\Program Files\iTunes
2008-03-05 12:28 . 2008-03-05 12:28 <DIR> d-------- C:\Program Files\iPod
2008-03-05 12:28 . 2008-03-05 12:28 <DIR> d-------- C:\Documents and Settings\Gucci\Application Data\Apple Computer
2008-03-05 12:26 . 2008-03-05 12:27 <DIR> d-------- C:\Program Files\QuickTime
2008-03-05 12:25 . 2008-03-05 12:25 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-05 12:24 . 2008-03-05 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-05 12:17 . 2008-03-05 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-05 11:52 . 2008-03-05 11:52 <DIR> d-------- C:\Program Files\Bonjour
2008-03-05 11:38 . 2008-03-05 11:38 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-05 11:21 . 2008-03-05 11:51 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-05 11:20 . 2008-03-06 22:41 <DIR> d-------- C:\unzipped
2008-03-05 11:14 . 2008-03-06 10:02 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-05 11:13 . 2006-10-04 16:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-03-05 11:13 . 2006-10-04 16:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-03-05 11:13 . 2006-10-04 16:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-03-05 11:12 . 2008-03-05 11:12 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-05 11:11 . 2008-03-05 11:11 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-05 11:11 . 2008-03-05 11:11 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-05 11:08 . 2008-03-05 11:08 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-03-05 10:40 . 2008-03-05 11:10 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-03-05 10:40 . 2004-08-04 00:56 96,768 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-03-05 10:37 . 2008-03-05 10:37 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-05 10:35 . 2004-08-04 00:56 2,897,920 --------- C:\WINDOWS\system32\xpsp2res.dll
2008-03-05 10:33 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-05 10:33 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002269_.tmp
2008-03-05 10:30 . 2008-03-05 10:30 <DIR> d-------- C:\WINDOWS\EHome
2008-03-05 03:27 . 2004-08-03 22:31 716,856 --a--c--- C:\WINDOWS\system32\dllcache\imjpcus.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 20:43 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
.

------- Sigcheck -------

868e48d9600bee193d0c6c389c02c489 C:\WINDOWS\system32\drivers\tcpip.sys
----a-w 360,832 2007-10-30 16:53:32 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
-c----w 327,168 2001-08-23 11:00:00 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
-c----w 359,040 2004-08-03 21:14:42 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
----a-w 359,040 2004-08-03 21:14:42 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
----a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys
----a-w 360,832 2007-10-30 16:53:32 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2qfe\tcpip.sys
-c--a-w 360,064 2008-03-06 20:43:16 C:\WINDOWS\system32\dllcache\TCPIP.SYS
----a-w 360,064 2008-03-06 20:43:16 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B687028-864E-410B-8AC8-7500FBA2A151}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25BE2418-6C95-418F-BE03-0D9B9354A167}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B85B7FF-9E6B-456A-A256-9D248E2C7E92}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89B95F56-1525-4FE7-82E6-9A6F602CF845}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB275A71-1FF5-4D16-9125-BDA3E0DEF9C1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fbf0ead0-62dd-4ad6-bd0d-be3706c759de}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51 257088]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [2007-12-04 02:07 61440]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 03:10 409600]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdddd]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 PSI_SVC_2;Protexis Licensing V2;"c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [2007-07-24 11:15]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 22:29]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 14:48]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-05 10:25:57 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-06 21:32:47 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 13:16:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2008-03-07 13:21:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-07 11:21:48
.
2008-03-07 09:38:50 --- E O F ---

Here is a new Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:09 PM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49FD5E5C-A734-4BBF-9F7C-0E0D7100CC61}: NameServer = 196.43.45.190 196.43.46.190
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6317 bytes

I REALLY need to figure this out!

Many thanks!

0

Hi xXxMikhailxXx

Before we continue cleaning the system I need a bit more info. Your logs are showing XP, what happened to the Vista install you mentioned? Is this the same machine?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.