Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HJT log (GOHOST

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: HJT log (GOHOST

Unread postby Katana » December 31st, 2008, 5:36 am

A couple of questions,

Does it actually say "Fire Engine" ?
Do you have any programs that it might relate to ?
Where is this icon on the task bar, far left or far right ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Advertisement
Register to Remove

Re: HJT log (GOHOST

Unread postby pokey23 » December 31st, 2008, 10:54 am

Yes I really says Fire Engine and the button is on the far left of the task bar. and it pretaines to a screensaver which is part of a Christmas Windows Theme. I am no longer using this Theme, as it is no longer Christmas, so I no longer see this Fire Engine Button. Larry
pokey23
Regular Member
 
Posts: 30
Joined: December 17th, 2008, 2:30 pm

Re: HJT log (GOHOST

Unread postby Katana » December 31st, 2008, 4:55 pm

pokey23 wrote:so I no longer see this Fire Engine Button. Larry

So there are no problems now then ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: HJT log (GOHOST

Unread postby pokey23 » December 31st, 2008, 7:13 pm

The only issue I have now, is the Pc seems to be a little sluggesh opening Apps. and the Internet. Since I changed Desktop Themes I no longer see the fire engine button.

I want to Thank you for your expert help. It is really nice to have people and a web sites to go to for help with things that are way out of my abilitys. Thank You Again Larry


Happy New Year

2009
pokey23
Regular Member
 
Posts: 30
Joined: December 17th, 2008, 2:30 pm

Re: HJT log (GOHOST

Unread postby Katana » January 1st, 2009, 5:20 pm

The only issue I have now, is the Pc seems to be a little sluggesh opening Apps. and the Internet.

That could be a multitude of problems, but one thing I do know is that it isn't malware related :)


Here is some general info on slow computers
http://users.telenet.be/bluepatchy/miek ... puter.html

Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up

Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.


    Uninstall Combofix
  • This will clear your System Volume Information restore points and remove all the infected files that were quarantined
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    • Image


----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partne ... bscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware
    AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner

Prevention
    These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 4.0
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers
    Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
    Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: HJT log (GOHOST

Unread postby pokey23 » January 1st, 2009, 8:38 pm

I've done the clean-up you suggested. I read the link about slow PC's. I went to the start button clicked run typed msconfig to stop programs starting with windows buuuuuut I recieve this error message. Windows cannot find msconfig make sure you typed the name correctly and then try again. To search for a file click the start button then click search. I don't think this should happen. Also I ran an antispyware scan a little while ago. I clicked on the Icon and a box opened up saying it was Windows Installer asking to ok the installation. Now I know that is not supposed to happen. Any Ideas with the latest malfunctions. Larry
pokey23
Regular Member
 
Posts: 30
Joined: December 17th, 2008, 2:30 pm

Re: HJT log (GOHOST

Unread postby Katana » January 2nd, 2009, 6:24 am

Which "AntiSpyware" scan did you run ?



Download and Run ComboFix
Please delete the copy of ComboFix that you have and download an updated copy from one of the links below
    Please visit this webpage for instructions on using ComboFix:
    http://www.bleepingcomputer.com/combofi ... e-combofix

    ComboFix.exe 1
    ComboFix.exe 2
    ComboFix.exe 3

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: HJT log (GOHOST

Unread postby pokey23 » January 2nd, 2009, 2:28 pm

I ran super antispyware scan. I'm trying to use combofix now. When I click on the icon on my desktop to install it, starts but then stops with this message "Combofix has detected the following real time scanner to be active "ThreatFire" I'm not sure what this refers to since i have so many different scanning programs. I'm thinking it is with Avira Antivirus personnel Free. I right clicked the icon to disable it and the umbrelia collapsed so I though I disabled it the right way. My firewall is disabled. I installed spy-bot the other night and today before running combofix I disabled tea-timmer in that program. I don't know of any other scanning software I might have.
In windows security center the virus protection tab says it is on, and my firewall is off. what virus software could be running. Larry

I finnaly got combofix to work see below it's scan log as well as a new HJT log after the combofix scan. Larry

ComboFix 09-01-01.02 - Larry VS 2009-01-02 20:46:55.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.129 [GMT -5:00]
Running from: c:\documents and settings\Larry VS\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://download.esd.intuit.com
.
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-02 20:42 . 2009-01-02 20:42 <DIR> d-------- c:\program files\ThreatFire
2009-01-02 20:42 . 2009-01-02 20:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-01-02 20:42 . 2008-11-17 13:05 51,488 --a------ c:\windows\system32\drivers\TfFsMon.sys
2009-01-02 20:42 . 2008-11-17 13:05 39,200 --a------ c:\windows\system32\drivers\TfSysMon.sys
2009-01-02 20:42 . 2008-11-17 13:05 33,056 --a------ c:\windows\system32\drivers\TfNetMon.sys
2009-01-02 20:42 . 2008-11-17 13:05 12,576 --a------ c:\windows\system32\drivers\TfKbMon.sys
2009-01-02 14:20 . 2009-01-02 14:20 <DIR> d-------- c:\documents and settings\Larry VS\Application Data\Apple Computer
2009-01-02 14:01 . 2009-01-02 14:01 <DIR> d-------- c:\program files\Avira
2009-01-02 14:01 . 2009-01-02 14:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-31 19:15 . 2008-12-31 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-30 18:44 . 2008-12-31 19:16 <DIR> d-------- c:\program files\Hewlett-Packard
2008-12-30 18:41 . 2008-12-30 18:48 47,861 --a------ c:\windows\hpiins01.dat
2008-12-30 18:41 . 2005-04-25 11:32 0 --------- c:\windows\hpimdl01.dat
2008-12-27 17:41 . 2008-12-27 17:41 1,409 --a------ c:\windows\system32\tmpFE7C7.FOT
2008-12-27 17:41 . 2008-12-27 17:41 1,409 --a------ c:\windows\system32\tmpD85C7.FOT
2008-12-27 17:41 . 2008-12-27 17:41 1,409 --a------ c:\windows\system32\tmpAB8C7.FOT
2008-12-27 17:41 . 2008-12-27 17:41 1,409 --a------ c:\windows\system32\tmpA73C7.FOT
2008-12-27 17:41 . 2008-12-27 17:41 1,409 --a------ c:\windows\system32\tmp98BC7.FOT
2008-12-27 17:41 . 2008-12-27 17:41 1,409 --a------ c:\windows\system32\tmp599C7.FOT
2008-12-27 17:41 . 2008-12-27 17:41 1,409 --a------ c:\windows\system32\tmp20AC7.FOT
2008-12-27 12:58 . 2008-12-27 12:58 <DIR> d-------- c:\documents and settings\Larry VS\Application Data\OpenOffice.org
2008-12-26 11:42 . 2008-12-26 11:41 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-25 16:41 . 2008-12-25 16:41 <DIR> d-------- c:\documents and settings\Larry VS\Application Data\Netscape
2008-12-24 09:12 . 2008-12-31 22:17 <DIR> d-------- c:\documents and settings\Larry VS\Application Data\WeatherBug
2008-12-22 20:53 . 2008-12-22 20:53 <DIR> d-------- c:\documents and settings\Larry VS\Medtronic
2008-12-22 20:53 . 2008-12-22 20:53 194,362 --a------ c:\windows\system32\drivers\windrvr6.sys
2008-12-22 20:19 . 2008-12-22 20:19 <DIR> d-------- c:\documents and settings\Larry VS\My PaperPort Documents
2008-12-22 20:18 . 2009-01-01 19:16 <DIR> d-------- c:\documents and settings\Larry VS\My Downloads
2008-12-22 20:17 . 2008-12-22 20:18 <DIR> d-------- c:\documents and settings\Larry VS\My Albums
2008-12-22 20:04 . 2009-01-02 14:29 <DIR> d-------- c:\documents and settings\Larry VS\Application Data\Intuit
2008-12-22 19:53 . 2008-12-22 19:53 <DIR> d-------- c:\documents and settings\Larry VS\Application Data\PCToolsFirewallPlus
2008-12-22 19:50 . 2009-01-02 19:32 <DIR> d-------- c:\documents and settings\Larry VS
2008-12-21 20:38 . 2009-01-02 19:27 <DIR> d-------- c:\documents and settings\Guest
2008-12-21 09:52 . 2008-12-21 09:52 <DIR> d-------- c:\program files\OpenOffice.org 3
2008-12-21 09:52 . 2008-12-21 09:52 <DIR> d-------- c:\program files\JRE
2008-12-20 10:15 . 2008-12-20 10:15 <DIR> d-------- c:\program files\Bonjour
2008-12-13 17:55 . 2008-12-17 12:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\ParetoLogic
2008-12-12 13:54 . 2008-12-12 13:54 10 --a------ c:\windows\popcinfo.dat
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll
2008-12-10 20:29 . 2008-12-10 20:29 164,352 --a------ c:\windows\system32\SpoonUninstall.exe
2008-12-06 12:21 . 2008-12-06 12:21 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0
2008-12-06 12:14 . 2008-12-06 12:14 <DIR> d-------- c:\program files\TurboTax
2008-12-05 18:45 . 2008-12-05 18:45 0 --ah----- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-12-05 18:45 . 2008-12-05 18:45 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-12-05 18:44 . 2008-12-05 18:44 0 --ah----- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-12-05 18:35 . 2008-12-05 18:35 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-05 18:35 . 2008-12-05 18:35 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-12-05 18:34 . 2008-12-10 14:26 1,366,890 --a------ c:\windows\setupapi.log.1.old
2008-12-05 18:34 . 2008-03-21 13:57 14,640 --------- c:\windows\system32\spmsgXP_2k3.dll
2008-12-05 18:32 . 2008-12-05 18:36 <DIR> d-------- c:\program files\Zune
2008-12-05 18:29 . 2008-05-02 08:25 465,920 --------- c:\windows\system32\imapi2fs.dll
2008-12-05 18:29 . 2008-05-02 08:25 465,920 -----c--- c:\windows\system32\dllcache\imapi2fs.dll
2008-12-05 18:29 . 2008-05-02 08:25 317,952 --------- c:\windows\system32\imapi2.dll
2008-12-05 18:29 . 2008-05-02 08:25 317,952 -----c--- c:\windows\system32\dllcache\imapi2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 01:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-01 00:16 --------- d-----w c:\program files\HP
2008-12-30 23:44 --------- d-----w c:\program files\Common Files\HP
2008-12-26 16:41 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-26 15:22 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-23 00:07 --------- d-----w c:\program files\CCleaner
2008-12-21 14:46 --------- d-----w c:\program files\Java
2008-12-06 17:18 --------- d-----w c:\program files\Common Files\Intuit
2008-12-06 17:18 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2008-12-06 17:05 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 14:38 --------- d-----w c:\program files\IncrediMail
2008-11-30 19:32 --------- d-----w c:\program files\Amazon
2008-11-22 14:36 --------- d-----w c:\program files\iTunes
2008-11-22 14:36 --------- d-----w c:\program files\iPod
2008-11-22 14:36 --------- d-----w c:\program files\Common Files\Apple
2008-11-22 14:36 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 14:33 --------- d-----w c:\program files\QuickTime
2008-11-12 16:22 --------- d-----w c:\program files\Plus!
2008-11-10 17:23 60,032 ----a-w c:\windows\system32\ZuneBusEnum.exe
2008-11-10 17:23 243,840 ----a-w c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 17:09 73,728 ----a-w c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 17:09 57,344 ----a-w c:\windows\system32\ZuneRegUtil.dll
2008-11-10 17:09 40,832 ----a-w c:\windows\system32\drivers\zumbus.sys
2008-11-10 17:09 310,272 ----a-w c:\windows\system32\ZuneNetProxy.dll
2008-11-10 17:09 18,944 ----a-w c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 17:09 145,920 ----a-w c:\windows\system32\ZuneMTPZ.dll
2008-11-10 17:09 12,800 ----a-w c:\windows\system32\ZunePTDNS.dll
2008-11-10 00:38 --------- d-----w c:\program files\RegCure
2008-11-06 00:50 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2008-11-06 00:21 --------- d-----w c:\program files\Quicken
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-22 20:47 6 ----a-w c:\windows\Fonts\wfonts.key
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 -c--a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 -c--a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 -c--a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 -c--a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 -c--a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 -c--a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 -c--a-w c:\windows\system32\wups.dll
2008-10-16 19:07 208,744 -c--a-w c:\windows\system32\muweb.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-05-07 17:49 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050720080508\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2008-11-09 243072]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-26 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2008-11-17 263456]
"VTTimer"="VTTimer.exe" [2005-03-08 c:\windows\system32\VTTimer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-02-28 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Larry^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Larry\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--a--c--- 2004-07-20 08:34 851968 c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 16:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
-----c--- 2004-05-25 08:16 49152 c:\program files\Brother\Brmfl04a\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
-----c--- 2006-10-18 19:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-01-02 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-01-02 39200]
R2 IntuitUpdateService;Intuit Update Service;"c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" [2008-10-10 13088]
R3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys [2009-01-02 33056]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS []
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys []
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service []
S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-03-30 173824]
S3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-03-30 29184]
S3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-03-30 9088]
S3 MusCDriver;MusCDriver;c:\windows\system32\drivers\MusCDriver.sys [2008-10-23 23096]
S3 MusCVideo32;MusCVideo32;c:\windows\system32\DRIVERS\MusCVideo32.sys [2008-10-23 3768]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS []
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\sbfwim.sys [2008-07-25 65576]
S3 USR1806;U.S. Robotics Faxmodem Driver 1806;c:\windows\system32\DRIVERS\USR1806.SYS [2008-01-19 793598]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - TFFSMON
*Newly Created Service* - TFNETMON
*Newly Created Service* - TFSYSMON
*Newly Created Service* - THREATFIRE
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 16:21]
.
- - - - ORPHANS REMOVED - - - -

Notify-!SASWinLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.charter.net/
uInternet Connection Wizard,ShellNext = hxxp://www.incredimail.com/app/?tag=pag ... ncrediMail

c:\windows\Downloaded Program Files\AxCtp2.dll - O16 -: PackageCab
hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
c:\windows\Downloaded Program Files\OSD2EA.OSD
FF - ProfilePath - c:\documents and settings\Larry VS\Application Data\Mozilla\Firefox\Profiles\24fp81vs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.charter.net/index.php
FF - plugin: c:\documents and settings\Larry VS\Application Data\Mozilla\plugins\npPxPlay.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 20:53:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\program files\ThreatFire\TFWAH.dll
c:\program files\ThreatFire\TFNI.dll

- - - - - - - > 'lsass.exe'(884)
c:\program files\ThreatFire\TFWAH.dll
.
Completion time: 2009-01-02 20:55:41
ComboFix-quarantined-files.txt 2009-01-03 01:55:36

Pre-Run: 29,627,047,936 bytes free
Post-Run: 29,658,275,840 bytes free

242 --- E O F --- 2008-12-17 23:29:04


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:00 PM, on 2009-01-02
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.incredimail.com/app/?tag=pag ... ncrediMail
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PackageCab - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 6344 bytes
pokey23
Regular Member
 
Posts: 30
Joined: December 17th, 2008, 2:30 pm

Re: HJT log (GOHOST

Unread postby Katana » January 3rd, 2009, 11:36 am

When I click on the icon on my desktop to install it, starts but then stops with this message "Combofix has detected the following real time scanner to be active "ThreatFire" I'm not sure what this refers to since i have so many different scanning programs.

It relates to ThreatFire from PCTools, that you have just installed

2009-01-02 20:42 . 2009-01-02 20:42 <DIR> d-------- c:\program files\ThreatFire
2009-01-02 20:42 . 2008-11-17 13:05 51,488 --a------ c:\windows\system32\drivers\TfFsMon.sys
2009-01-02 20:42 . 2008-11-17 13:05 39,200 --a------ c:\windows\system32\drivers\TfSysMon.sys
2009-01-02 20:42 . 2008-11-17 13:05 33,056 --a------ c:\windows\system32\drivers\TfNetMon.sys
2009-01-02 20:42 . 2008-11-17 13:05 12,576 --a------ c:\windows\system32\drivers\TfKbMon.sys


The MSConfig problem should now be cured.

    Uninstall Combofix
  • This will clear your System Volume Information restore points and remove all the infected files that were quarantined
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    • Image



I clicked on the Icon and a box opened up saying it was Windows Installer asking to ok the installation. Now I know that is not supposed to happen.
~
I ran super antispyware scan.


Looking at your logs, it's possible that some Super AntiSpyware files may be missing.
I recommend that you either reinstall or remove it.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: HJT log (GOHOST

Unread postby pokey23 » January 3rd, 2009, 12:43 pm

Hi Katana
I removed everything execpt pctool Threatfire antivirus free and pctools firewall free. Yes my Run dialog box is working again. Was able to remove combofix and access msconfig. Thanks for all your help, and I mean that. Larry Also Pc is a little quicker than before.
pokey23
Regular Member
 
Posts: 30
Joined: December 17th, 2008, 2:30 pm

Re: HJT log (GOHOST

Unread postby NonSuch » January 10th, 2009, 12:30 am

As this issue appears to be resolved, this topic is now closed.

You can help support this site from this link :
Donations For Malware Removal
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 47 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware