Recurring requests for reboot

[hap66]

Here is the new ComboFix log:

ComboFix 08-01-03.1 - Owner 2008-01-03 14:14:36.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.1.1252.1.1033.18.233 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFscript.txt
 * Created a new restore point

FILE
C:\WINDOWS\system32\orsqkgfx.ini
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\orsqkgfx.ini

.
(((((((((((((((((((((((((   Files Created from 2007-12-03 to 2008-01-03  )))))))))))))))))))))))))))))))
.

2008-01-02 12:25 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-02 12:17 . 2008-01-02 12:17   <DIR>   d--------   C:\Program Files\Trend Micro
2007-12-30 11:57 . 2004-01-09 02:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2007-12-30 11:57 . 2007-12-04 05:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2007-12-30 11:57 . 2007-12-04 07:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-30 11:57 . 2007-12-04 07:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-30 11:57 . 2007-12-04 07:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-30 11:57 . 2007-12-04 07:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-30 09:57 . 2008-01-01 11:56   155,648   --a------   C:\WINDOWS\system32\igfxtray.exe
2007-12-30 09:57 . 2008-01-01 11:56   114,688   --a------   C:\WINDOWS\system32\hkcmd.exe
2007-12-30 09:57 . 2008-01-01 11:56   81,920   --a------   C:\WINDOWS\system32\ps2.exe
2007-12-30 09:57 . 2008-01-01 11:56   52,736   --a------   C:\WINDOWS\system\hpsysdrv.exe
2007-12-30 09:57 . 2008-01-03 12:33   182   --a------   C:\WINDOWS\system\hpsysdrv .DAT
2007-12-29 12:06 . 2007-12-29 12:06   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Motive
2007-12-27 14:42 . 2007-12-27 14:42   <DIR>   d--------   C:\Program Files\Google
2007-12-19 09:44 . 2007-12-26 23:41   43,520   --a------   C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-19 09:10 . 2007-12-19 09:10   94,208   --a------   C:\WINDOWS\DIIUnin.exe
2007-12-19 09:10 . 2007-12-19 09:44   35,759   --a------   C:\WINDOWS\DIIUnin.dat
2007-12-19 09:10 . 2007-12-19 09:10   2,829   --a------   C:\WINDOWS\DIIUnin.pif
2007-12-19 09:00 . 2007-12-27 23:41   <DIR>   d--------   C:\Program Files\Diablo II
2007-12-06 13:13 . 2007-12-06 13:13   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\VERITAS
2007-12-06 12:22 . 2007-12-06 12:22   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-06 00:34 . 2007-12-06 00:34   248   --a------   C:\WINDOWS\RomeTW.ini
2007-12-05 22:46 . 2007-12-15 12:02   <DIR>   d--------   C:\Program Files\Activision
2007-12-03 09:54 . 2007-12-03 09:54   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Corel

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 21:13   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\MSN6
2008-01-03 19:35   ---------   d-----w   C:\Program Files\USB Storage RW
2007-12-31 00:03   ---------   d-----w   C:\Program Files\AWS
2007-12-29 19:06   ---------   d-----w   C:\Program Files\Easy Internet signup
2007-12-16 16:46   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\U3
2007-12-15 19:39   163,644   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-15 19:37   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-12-05 06:14   ---------   d-----w   C:\Program Files\Common Files\Real
2007-12-05 06:13   ---------   d-----w   C:\Program Files\Real
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-02 20:45   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-12-02 20:45   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\AdobeAUM
2007-12-02 19:34   ---------   d-----w   C:\Program Files\Common Files\Adobe
2007-12-02 19:23   ---------   d-----w   C:\Program Files\Macromedia
2007-12-02 19:21   ---------   d-----w   C:\Program Files\Common Files\Macromedia
2007-12-01 18:43   ---------   d-----w   C:\Program Files\Common Files\Adobe Systems Shared
2007-12-01 18:43   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Macrovision
2007-12-01 18:39   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2007-11-30 05:39   ---------   d-----w   C:\Program Files\Western Digital Technologies
2007-11-30 05:23   ---------   d-----w   C:\Program Files\Rhapsody
2007-11-30 05:20   8,413   ----a-w   C:\WINDOWS\system32\drivers\mcstrm.sys
2007-11-30 04:47   ---------   d-----w   C:\Program Files\Hewlett-Packard
2007-11-30 04:46   ---------   d-----w   C:\Program Files\HP
2007-11-30 04:26   ---------   d-----w   C:\Program Files\Common Files\HP
2007-11-30 04:23   ---------   d-----w   C:\Program Files\Common Files\Hewlett-Packard
2007-11-29 20:51   ---------   d-----w   C:\Program Files\Alwil Software
2007-11-29 20:38   ---------   d-----w   C:\Program Files\MSN Messenger
2007-11-29 20:38   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\MSNInstaller
2007-11-29 20:36   ---------   d-----w   C:\Program Files\Qwest
2007-11-29 20:31   ---------   d-----w   C:\Program Files\Common Files\supportsoft
2007-11-29 20:31   ---------   d-----w   C:\Program Files\Actiontec
2007-11-29 20:31   ---------   d-----w   C:\Program Files\2Wire
2007-11-29 20:29   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\InstallShield
2007-11-29 09:02   ---------   d-----w   C:\Program Files\Quicken
2007-11-29 09:01   ---------   d-----w   C:\Program Files\Symantec
2007-11-29 09:01   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2007-11-29 09:01   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-29 08:04   ---------   d-----w   C:\Program Files\PC-Doctor for Windows
.

(((((((((((((((((((((((((((((   snapshot@2008-01-03_12.41.48.14   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-02 19:27:13   262,144   ----a-w   C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
+ 2008-01-03 21:14:33   262,144   ----a-w   C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
.

[hap66]

the rest of the log:

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-03-03 11:44 831557 C:\WINDOWS\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2008-01-01 11:56 52736]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-01 11:56 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-01 11:56 114688]
"KYE_UDSI"="C:\Program Files\USB Storage RW\udsi.exe" [2008-01-01 11:56 212992]
"KBD"="C:\HP\KBD\KBD.EXE" [2008-01-01 11:56 61440]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-01 11:56 155648]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-01-01 11:56 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-03 11:44 4595712]
"nwiz"="nwiz.exe" [2003-03-03 11:44 323584 C:\WINDOWS\system32\nwiz.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2008-01-01 11:56 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 20:35 50176 C:\WINDOWS\ALCXMNTR.EXE]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [2008-01-01 11:56 198800]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2008-01-01 11:56 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2008-01-01 11:57 212992]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2008-01-01 11:57 229437]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2008-01-01 11:57 188416]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-01 11:57 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-01-01 11:57 79224]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-04-10 04:21:36]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-01 11:42:56]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-04-10 00:04:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 03:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll


*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 22:07:11 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet5100#MY37E3P1437A.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe+/#Hewlett-Packard#deskjet5100#MY37E3P1437A
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 14:15:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2008-01-03 14:16:48
ComboFix-quarantined-files.txt  2008-01-03 21:15:58
ComboFix2.txt  2008-01-03 19:42:02

[hap66]

And here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:24 PM, on 1/3/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\udsi.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_UDSI] "C:\Program Files\USB Storage RW\udsi.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6263 bytes

[oldman]

Well,that looks good from here. How is it at your end?

[Maxx_original]

guys, i know that's a quite annoying trouble (when avast executables are infected), essexboy reported it to me already... i'm collecting the samples and inspecting the relations between infected ashdisp and the infection dropper (that's the most important part, ashdisp can be repaired from setup, but we must stop the reinfecting)..

[oldman]

Hi Maxx

Depending on how comfortable this user is with the process, I will try to retreive a copy of the ashdisp file.

[hap66]

Everything looks great, even ran the Ashdisp.exe in Virus Total, came up clean. computers running great thank you for your help. Can these tools I have now (ComboFix/HJT) be used for other viruses or adware problems, if another infection happens in the future?

[Lisandro]

Can these tools I have now (ComboFix/HJT) be used for other viruses or adware problems, if another infection happens in the future?

Most probably. Anyway, you can stay tunned to download new versions of them in the future (although they're not as frequently updated as an antivirus, of course).

[oldman]

 If you are up to it, I'd like you sumbit a sample from the combofix quarantine.

Right click the "a" icon, click start avast ant virus. Once the interface comes up, click on the chest, then the user section button.

Right click anywhere in the window and select add

Use the browse to navigate to the following folder

C:\QOOBOX\QUARANTINE\c\program flies

in the right hand panel a list of files should appear with the added .vir extention.

single click on each instance os ashdisp, click add each time

Back in the chest right click on the file and select "email to alwill software"

In the box that appears paste this line in

ATTN: Maxx

http://forum.avast.com/index.php?topic=32314.15

infected sample of ashdisp

Make sure the box beside MAPI is checked. click send. You can send only one sample per mail.

To remove the file from the chest, right click on it and select delete.

You will have to do this before we remove combofix.


Hijack this is ok to keep around, but combofix should be removed. It won't work after, I think it's 10 days. Tech wasn't quiet right, combofix is updated constantly, sometimes daily, so the freshest version is best. And yes it can be used for other things, but is usually used in conjunction with other tools.




So we'll leave HJT and remove combofix. This will take the nasties with it.

Click start button, click run, copy and paste this line into the box

combofix /u


It looks like you are using windows firewall. It doesn't provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

[hap66]

I don't know if I did it right. Found one aishDisp.exe.vir file that was in the ALWILS~1\avast4 folder, sent that file, was I suppose to send all the other .vir files from the other folders in the ...\program files folder? But I already uninstalled ComboFix so I guess thats it.

Thanks again for your help oldman and tech, and thanks for the firewall info.

[oldman]

No, I think just the ashdisp file will be good enough, Alwil may not be able to do much with some else product. So go ahead and remove them from the chest. And Thank You for taking the time to submit the file, it may save our butts down the road.

You're welcome and stay safe. 


You should also do this

Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

Remove old restore points

Disk Cleanup
- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one

[hap66]

cool good to know I could be of some help, and restore point made old ones deleted!