InterviewSolution
Saved Bookmarks
InterviewSolution
This section includes InterviewSolutions, each offering curated multiple-choice questions to sharpen your knowledge and support exam preparation. Choose a topic below to get started.
| 501. |
Solve : Something is wrong with this laptop? |
|
Answer» AROUND December I reformatted my mom's laptop hd because it had about 7 years worth of crap on it. At first the comp was pretty fast. Now, it's ridiculously slow again, although very little has been installed since the reformat. I'm hoping you guys MIGHT take a look and help me find the cause. The problem is especially noticable in IE7, where pages load very slowly and the program sometimes hangs when trying to close it. Oddly enough, file downloads still go at a normal rate. Anywho, I read the "Read this before requesting malware removal help" thread and am following all the directions closely. Step A - yes there is an antivirus installed and it's up to DATE, Norton Anti-Virus. I'm already aware that most of you don't like Symantec, but Mom does, so I really don't have a choice but to keep it. Step 1 - I went to add/remove programs and found nothing out of the ordianary. Only programs that she or I have installed. Step 2 - I dl'd CCleaner and ran it. It removed over 1/2 GB of FILES. WOW! Step 3 - I dl'd and ran SUPERAntiSpyware. It found a few threats and took care of them. Here is the log: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 03/04/2009 at 12:24 PM Application Version : 4.25.1014 Core Rules Database Version : 3784 Trace Rules Database Version: 1741 Scan type : Complete Scan Total Scan Time : 00:56:39 Memory items scanned : 452 Memory threats detected : 0 Registry items scanned : 4380 Registry threats detected : 2 File items scanned : 44181 File threats detected : 2 Adware.Tracking Cookie C:\Documents and Settings\Owner\Cookies\[email protected][2].txt C:\Documents and Settings\Owner\Cookies\[email protected][1].txt Adware.MyWebSearch/FunWebProducts HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179} HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs Step 4 - I dl'd and ran Malwarebytes, which found no threats. Here is the log: Malwarebytes' Anti-Malware 1.34 Database version: 1809 Windows 5.1.2600 Service Pack 3 3/4/2009 1:22:08 PM mbam-log-2009-03-04 (13-22-08).txt Scan type: Quick Scan Objects scanned: 61436 Time elapsed: 6 minute(s), 28 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Step 5 - Java is up to date Step 6 - I dl'd and ran HijackThis. Here is the log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:27:23 PM, on 3/4/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot MODE: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Dell\AccessDirect\dadapp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Norton Utilities 14\nu.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optimum.net/optonline R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [EPSON Stylus C120 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICCA.EX E /FU "C:\WINDOWS\TEMP\E_S89.tmp" /EF "HKCU" O4 - HKCU\..\Run: [NortonUtilities] C:\Program Files\Norton Utilities 14\nu.exe /H O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html /native/x86/win32/activex/hcImpl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Cont rols/en/x86/client/wuweb_site.cab?1226372371314 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk/6u12-b04/jin stall-6u12-windows-i586-jc.cab?e=1235700635479&h=98a264 ae139ea0e1e3fba9a3478f4ab3/&filename=jinstall-6u12-wind ows-i586-jc.cab O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 6664 bytes So that's everything. Any help would be appreciated. Thanks in advance!Run HijackThis again and save the log. This time before copying it in Notepad go to Format and then click Word Wrap. Now copy and paste the log. |
|
| 502. |
Solve : Regristry & Kernel FC? (slow computer)? |
|
Answer» I'm not sure if this is from the left over remains of a previously removed virus or just something out of place in my regristry or what.. |
|
| 503. |
Solve : Generic Dropper? |
|
Answer» About a month ago I had a new hard drive installed in my computer. I have the following: |
|
| 504. |
Solve : How to run Combofix on a slave drive? |
|
Answer» How do you run combofix on a slave drive? The drive is a EXTERNAL usb device.Sorry but at the request of sUBs we can not offer assistance in how to use ComboFix. There is a guide and that's the best we can do: How to use ComboFix You should not run ComboFix unless you are SPECIFICALLY asked to by a helper. Also, due to the POWER of this tool it is strongly advised that you do not attempt to ACT upon any of the information displayed by ComboFix without supervision from someone who has been properly TRAINED. If you do so, it may lead to problems with the normal functionality of your computer. |
|
| 505. |
Solve : Failed rempval Virus & malware? |
|
Answer» details say my shaw secure virus program could not DELETE these files please help my pc is getting an alert every second when I open firefox a pop up says 10 incoming alerts in 10 seconds so I did a virus scan and this is the report:: |
|
| 506. |
Solve : evil virus, please help!? |
|
Answer» hello,
---------- Next post please add:
did what u said, they are not there. what next? thanks again!Try the other steps.hey evilfantasy, so sorry i missed those steps, i thought it was ur signature... I d/l SDfix and then went to safe mode but i get an error saying: ERROR c:sdfix refers to a location that is unavailable. it could be on a hard drive on this computer, or on a network. check and make sure that the disk is properly inserted, or that you are connected to the internet or your network, and then try again... I have SDfix on desktop but it does not show in safe mode. I also d/l the trend micro hijackthis, so i scanned that, hope it's of some help... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:30:31 PM, on 3/2/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe C:\WINDOWS\sm56hlpr.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Motive\AsstCommon\motmon.exe C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Digital Lifeline\bin\mpbtn.exe C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O2 - BHO: {df744667-2aee-c8e9-bdf4-ed14a4e56f7e} - {e7f65e4a-41de-4fdb-9e8c-eea2766447fd} - C:\WINDOWS\system32\zwviso.dll O2 - BHO: (no name) - {f7994b48-f54e-41b7-af81-b79cd479473a} - C:\WINDOWS\system32\wulibuli.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [febijenule] Rundll32.exe "C:\WINDOWS\system32\gekujedo.dll",s O4 - HKLM\..\Run: [0418d60c] rundll32.exe "C:\WINDOWS\system32\topuzoha.dll",b O4 - HKLM\..\Run: [CPM072be590] Rundll32.exe "c:\windows\system32\depubedu.dll",a O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [SMSI Loader] C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe /PRNDRV O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE" VBStart O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [PCPitstop Disk MD Registration Reminder] C:\Program Files\PCPitstop\Disk MD\Reminder.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [MotiveMonitor] "C:\Program Files\Motive\AsstCommon\motmon.exe" O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe" O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink\PowerStarter\PowerBar.exe" /AtBootTime O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [febijenule] Rundll32.exe "C:\WINDOWS\system32\gekujedo.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [febijenule] Rundll32.exe "C:\WINDOWS\system32\gekujedo.dll",s (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Lifeline.lnk = C:\Program Files\Digital Lifeline\bin\mpbtn.exe O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172645199492 O20 - AppInit_DLLs: C:\WINDOWS\system32\gubitahu.dll zwviso.dll c:\windows\system32\depubedu.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\depubedu.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\depubedu.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- End of file - 11675 bytes Double-click on the SDFix icon and allow it to install. Then go into Safe Mode and follow the instructions on how to run it.Hey, thanks for bearing with me... got it to work! SDFix: Version 1.240 Run by Administrator on Mon 03/02/2009 at 10:39 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-02 22:55:18 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... disk error: C:\WINDOWS\system32\config\system, 0 scanning hidden registry entries ... disk error: C:\WINDOWS\system32\config\software, 0 disk error: C:\Documents and Settings\eileen\ntuser.dat, 0 scanning hidden files ... disk error: C:\WINDOWS\ please note that you need administrator rights to perform deep scan Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:xpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Disabled:AOL" "C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Disabled:AOL" "C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Disabled:AOL" "C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Disabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL" "C:\\Program Files\\Common Files\\AOL\\1143219364\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1143219364\\EE\\AOLServiceHost.exe:*:Disabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Disabled:AOL Application Loader" "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Disabled:AOLTopSpeed" "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Disabled:AOLTsMon" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:xpsp3res.dll,-20000" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" "C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer" "C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon" "C:\\WINDOWS\\system32\\services.exe"="C:\\WINDOWS\\system32\\services.exe:*:Enabled:services" "C:\\Program Files\\ACT\\ACT for Win 7\\Act7.exe"="C:\\Program Files\\ACT\\ACT for Win 7\\Act7.exe:*:Disabled:ACT! 7.x/2005" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Disabled:Bonjour" "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Disabled:EasyShare" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:xpsp3res.dll,-20000" Remaining Files : Files with Hidden Attributes : Fri 24 Mar 2006 56 ..SHR --- "C:\WINDOWS\system32\881A445A90.sys" Sun 1 Mar 2009 129,024 A.SH. --- "C:\WINDOWS\system32\bazamufa.dll" Sun 1 Mar 2009 84,992 A.SH. --- "C:\WINDOWS\system32\depubedu.dll" --- 47,616 A.SH. --- "C:\WINDOWS\system32\gekujedo.dll" --- 47,616 A.SH. --- "C:\WINDOWS\system32\gubitahu.dll" Sat 24 Jun 2006 1,890 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys" Sun 1 Mar 2009 79,872 A.SH. --- "C:\WINDOWS\system32\topuzoha.dll" --- 47,616 A.SH. --- "C:\WINDOWS\system32\wulibuli.dll" Sun 1 Mar 2009 129,024 A.SH. --- "C:\WINDOWS\system32\zwviso.dll" Finished! HIJACKTHIS LOG(new after SDfix finished) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:03:32 PM, on 3/2/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe C:\WINDOWS\sm56hlpr.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Motive\AsstCommon\motmon.exe C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Digital Lifeline\bin\mpbtn.exe C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O2 - BHO: {df744667-2aee-c8e9-bdf4-ed14a4e56f7e} - {e7f65e4a-41de-4fdb-9e8c-eea2766447fd} - C:\WINDOWS\system32\zwviso.dll O2 - BHO: (no name) - {f7994b48-f54e-41b7-af81-b79cd479473a} - C:\WINDOWS\system32\wulibuli.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [febijenule] Rundll32.exe "C:\WINDOWS\system32\gekujedo.dll",s O4 - HKLM\..\Run: [0418d60c] rundll32.exe "C:\WINDOWS\system32\topuzoha.dll",b O4 - HKLM\..\Run: [CPM072be590] Rundll32.exe "c:\windows\system32\depubedu.dll",a O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [SMSI Loader] C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe /PRNDRV O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE" VBStart O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [PCPitstop Disk MD Registration Reminder] C:\Program Files\PCPitstop\Disk MD\Reminder.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [MotiveMonitor] "C:\Program Files\Motive\AsstCommon\motmon.exe" O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe" O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink\PowerStarter\PowerBar.exe" /AtBootTime O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [febijenule] Rundll32.exe "C:\WINDOWS\system32\gekujedo.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [febijenule] Rundll32.exe "C:\WINDOWS\system32\gekujedo.dll",s (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Lifeline.lnk = C:\Program Files\Digital Lifeline\bin\mpbtn.exe O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172645199492 O20 - AppInit_DLLs: C:\WINDOWS\system32\gubitahu.dll zwviso.dll c:\windows\system32\depubedu.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\depubedu.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\depubedu.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- End of file - 11777 bytes Go to Add or Remove Programs and uninstall: AVG Anti-Spyware 7.5. It's out dated so not doing any good running. Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there)
Exit HijackThis. ---------- Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFixthanks again for walking me thru this!! ComboFix 09-03-02.01 - eileen 2009-03-03 0:30:14.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.612 [GMT -5:00] Running from: c:\documents and settings\eileen\Desktop\ComboFix.exe AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\windows\system32\ahozupot.ini c:\windows\system32\bazamufa.dll c:\windows\system32\drivers\seneka.sys c:\windows\system32\drivers\senekarnadllxo.sys c:\windows\system32\gubitahu.dll c:\windows\system32\senekahgkrmqpx.dll c:\windows\system32\senekapxmqsdne.dll c:\windows\system32\senekatyqqholi.dll c:\windows\system32\senekaurvstbos.dat c:\windows\system32\senekawborfdad.dat c:\windows\system32\zwviso.dll ----- BITS: Possible infected sites ----- hxxp://82.98.235.208 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_SENEKA ((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 ))))))))))))))))))))))))))))))) . 2009-03-02 22:31 . 2009-03-02 22:32 d-------- c:\windows\ERUNT 2009-03-02 20:54 . 2009-03-02 22:55 d-------- C:\SDFix 2009-03-01 22:25 . 2006-03-24 13:01 d-------- c:\documents and settings\Administrator\WINDOWS 2009-03-01 22:25 . 2006-03-24 13:57 d--h----- c:\documents and settings\Administrator\InstallAnywhere 2009-03-01 22:25 . 2006-03-24 11:57 d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver 2009-03-01 22:25 . 2006-03-24 13:56 d-------- c:\documents and settings\Administrator\Application Data\Leadertech 2009-03-01 22:25 . 2006-03-24 12:15 d-------- c:\documents and settings\Administrator\Application Data\IsolatedStorage 2009-03-01 22:25 . 2005-10-18 13:03 d-------- c:\documents and settings\Administrator\Application Data\Intel 2009-03-01 22:25 . 2006-02-15 02:03 d-------- c:\documents and settings\Administrator\Application Data\CyberLink 2009-03-01 22:25 . 2006-10-31 01:32 d-------- c:\documents and settings\Administrator\Application Data\AOL 2009-03-01 22:25 . 2006-03-24 13:43 d-------- c:\documents and settings\Administrator\Application Data\Allume Systems 2009-03-01 22:25 . 2006-03-24 12:10 d-------- c:\documents and settings\Administrator\Application Data\ACT 2009-03-01 22:25 . 2009-03-01 22:26 d-------- c:\documents and settings\Administrator . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-03 00:47 --------- d-----w c:\program files\Trend Micro 2009-03-01 23:08 84,992 --sha-w c:\windows\system32\depubedu.dll 2009-03-01 23:08 79,872 --sha-w c:\windows\system32\topuzoha.dll 2009-02-15 16:18 --------- d-----w c:\program files\Google 2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll 2008-05-20 02:47 1,540 ----a-w c:\documents and settings\eileen\Application Data\wklnhst.dat 2006-03-24 17:16 56 --sh--r c:\windows\system32\881A445A90.sys 1601-01-01 00:12 47,616 --sha-w c:\windows\system32\gekujedo.dll 2006-06-24 07:17 1,890 --sha-w c:\windows\system32\KGyGaAvL.sys 2008-09-29 19:39 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092920080930\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856] "PowerBar"="c:\program files\CyberLink\PowerStarter\PowerBar.exe" [2004-12-31 110592] "Power2GoExpress"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-07-27 729178] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "SMSI Loader"="c:\program files\Common Files\Smith Micro Shared\Fax\SMLoader.exe" [2004-10-12 32768] "SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152] "RestoreIT!"="c:\program files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE" [2005-02-15 114688] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 32768] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-03-24 26112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328] "PCPitstop Disk MD Registration Reminder"="c:\program files\PCPitstop\Disk MD\Reminder.exe" [2008-01-17 1012952] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393] "MotiveMonitor"="c:\program files\Motive\AsstCommon\motmon.exe" [2004-09-22 155648] "Motive SmartBridge"="c:\progra~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe" [2005-04-13 385024] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-06-01 401408] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-06-03 385024] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976] "EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2005-06-01 356352] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168] "ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968] "APL"="c:\program files\ACT\ACT for Win 7\APL.exe" [2005-05-24 20480] "A Verizon App"="c:\progra~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 50744] "0418d60c"="c:\windows\system32\topuzoha.dll" [2009-03-01 79872] "CPM072be590"="c:\windows\system32\depubedu.dll" [2009-03-01 84992] "febijenule"="c:\windows\system32\gekujedo.dll" [ 47616] "SMSERIAL"="sm56hlpr.exe" [2005-05-26 c:\windows\sm56hlpr.exe] "RTHDCPL"="RTHDCPL.EXE" [2005-05-04 c:\windows\RTHDCPL.EXE] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] Digital Lifeline.lnk - c:\program files\Digital Lifeline\bin\mpbtn.exe [2006-04-01 172032] Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-04-15 819200] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\depubedu.dll" [2009-03-01 84992] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\depubedu.dll [2009-03-01 84992] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2005-06-01 00:46 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\depubedu.dll,c:\windows\system32\gubitahu.dll "LoadAppInit_DLLs"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM "VIDC.ACDV"= ACDV.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli c:\windows\system32\gubitahu.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\ACT\\ACT for Win 7\\Act7.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\WINDOWS\\explorer.exe"= R0 ptpd;Disk Filter Driver;c:\windows\system32\drivers\ptpd.sys [2005-08-16 6656] R0 RITCPT;RITCPT;c:\windows\system32\drivers\RITCPT.SYS [2006-04-04 43512] R0 VVBackd5;VVBackd5;c:\windows\system32\drivers\VVBackd5.sys [2006-06-23 179482] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-08-18 34312] R2 FBAPI;FBAPI;c:\windows\system32\drivers\FBAPI.sys [2005-08-26 5088] R2 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2005-08-26 2304] S3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [2005-08-26 45056] --- Other Services/Drivers In Memory --- *Deregistered* - BROWSER *Deregistered* - CryptSvc *Deregistered* - DcomLaunch *Deregistered* - Dhcp *Deregistered* - Dnscache *Deregistered* - dvpapi *Deregistered* - ekrn *Deregistered* - ERSvc *Deregistered* - EventSystem *Deregistered* - EvtEng *Deregistered* - FastUserSwitchingCompatibility *Deregistered* - helpsvc *Deregistered* - ImapiService *Deregistered* - iPod Service *Deregistered* - lanmanserver *Deregistered* - lanmanworkstation *Deregistered* - LmHosts *Deregistered* - MSSQL$ACT7 *Deregistered* - Netman *Deregistered* - Nla *Deregistered* - OwnershipProtocol *Deregistered* - PolicyAgent *Deregistered* - ProtectedStorage *Deregistered* - RasMan *Deregistered* - RegSrvc *Deregistered* - RpcSs *Deregistered* - S24EventMonitor *Deregistered* - SamSs *Deregistered* - Schedule *Deregistered* - seclogon *Deregistered* - SENS *Deregistered* - ServiceLayer *Deregistered* - SharedAccess *Deregistered* - ShellHWDetection *Deregistered* - Spooler *Deregistered* - srservice *Deregistered* - SSDPSRV *Deregistered* - stisvc *Deregistered* - TapiSrv *Deregistered* - TermService *Deregistered* - Themes *Deregistered* - TrkWks *Deregistered* - W32Time *Deregistered* - WebClient *Deregistered* - winmgmt *Deregistered* - wscsvc *Deregistered* - wuauserv *Deregistered* - WZCSVC . Contents of the 'Scheduled Tasks' folder 2009-03-01 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . - - - - ORPHANS REMOVED - - - - BHO-{f7994b48-f54e-41b7-af81-b79cd479473a} - c:\windows\system32\wulibuli.dll HKLM-Run-NetscapeClient - (no file) HKLM-Run-farstone - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://msn.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = 127.0.0.1;*.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML Trusted Zone: aol.com\free DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-03 00:42:19 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] "ThreadingModel"="Apartment" ="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,be,b2,da,62,08, 34,5b,07,c8,28,51,af,b0,29,a3,98,35,d7,10,2e,05,fb,a7,87,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] "ThreadingModel"="Apartment" ="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,0f,eb,74,0b,be, 15,bf,48,71,3b,04,66,8b,46,0d,96,24,d3,61,cd,4e,a2,34,75,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] "ThreadingModel"="Apartment" ="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,65,31,ac,d0,b8, f0,73,2c,25,da,ec,7e,55,20,c9,26,74,4b,01,81,07,51,fe,72,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] "ThreadingModel"="Apartment" ="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,14,fb,f9,ba,92, e9,f3,d3,3e,1e,9e,e0,57,5a,93,61,fe,47,c1,77,63,f3,26,88,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] "ThreadingModel"="Apartment" ="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,b7,ec,c8,52,80, 82,29,09,cd,44,cd,b9,a6,33,6c,cd,26,a9,e1,74,b1,f4,74,5e,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] "ThreadingModel"="Apartment" ="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,02,ca,97,32,c0, 5a,42,04,b0,18,ed,a7,3f,8d,37,a4,ba,e6,ab,69,77,e5,10,3f,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] "ThreadingModel"="Apartment" ="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,11,bc,bc,e9,cb, 89,03,8a,31,77,e1,ba,b1,f8,68,02,64,71,8a,db,ef,d7,b3,09,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] "ThreadingModel"="Apartment" ="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,f4,79,74,18,5c, e3,46,f4,83,6c,56,8b,a0,85,96,ab,da,55,2c,fb,30,74,b9,2d,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] "ThreadingModel"="Apartment" ="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,ed,66,6b,1e,7f, 64,eb,08,51,fa,6e,91,28,9e,14,cc,01,ac,0a,0c,15,6d,66,f3,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] "ThreadingModel"="Apartment" ="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,42,35,18,b9,80, 0c,85,61,b1,cd,45,5a,a8,c4,f8,b9,a5,f3,86,81,cf,7c,b0,ce,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] "ThreadingModel"="Apartment" ="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,0e,86,a9,84,ea, 52,f9,3a,e3,0e,66,d5,eb,bc,2f,6b,42,1f,48,ef,3d,9c,75,14,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] "ThreadingModel"="Apartment" ="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,88,cb,e6,7f,46, df,54,df,fa,ea,66,7f,d4,3b,6b,70,f9,00,b6,3a,78,e3,a9,17,6c,43,2d,1e,aa,22,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(948) c:\program files\Intel\Wireless\Bin\LgNotify.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\windows\system32\brss01a.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\Brmfrmps.exe c:\program files\Common Files\Command Software\dvpapi.exe c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe c:\program files\Intel\Wireless\Bin\OProtSvc.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\progra~1\Intel\Wireless\Bin\1XConfig.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe c:\windows\system32\rundll32.exe c:\program files\Common Files\Verizon Online\ConnMgr\cmisrv.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe . ************************************************************************** . Completion time: 2009-03-03 0:52:02 - machine was rebooted [eileen] ComboFix-quarantined-files.txt 2009-03-03 05:51:55 Pre-Run: 14,113,845,248 bytes free Post-Run: 14,117,203,968 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 315 --- E O F --- 2009-02-28 15:38:16 Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: Driver:: 881A445A90 File:: C:\WINDOWS\system32\881A445A90.sys C:\WINDOWS\system32\bazamufa.dll C:\WINDOWS\system32\depubedu.dll C:\WINDOWS\system32\gekujedo.dll C:\WINDOWS\system32\gubitahu.dll C:\WINDOWS\system32\topuzoha.dll C:\WINDOWS\system32\wulibuli.dll C:\WINDOWS\system32\zwviso.dll Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "0418d60c"=- "CPM072be590"=- "febijenule"=- [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "SSODL"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"="" 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezecombo fix, new one... thanks for ur attention and patience to this pesky problem! eileen Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.453 [GMT -5:00] Running from: c:\documents and settings\eileen\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\eileen\Desktop\CFScript.txt AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) * Created a new restore point * Resident AV is active FILE :: c:\windows\system32\881A445A90.sys c:\windows\system32\bazamufa.dll c:\windows\system32\depubedu.dll c:\windows\system32\gekujedo.dll c:\windows\system32\gubitahu.dll c:\windows\system32\topuzoha.dll c:\windows\system32\wulibuli.dll c:\windows\system32\zwviso.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\881A445A90.sys c:\windows\system32\ahozupot.ini c:\windows\system32\depubedu.dll c:\windows\system32\efekefab.ini c:\windows\system32\gekujedo.dll c:\windows\system32\iesoiz.dll c:\windows\system32\iniwonug.ini c:\windows\system32\jumidani.dll c:\windows\system32\mayonibe.dll c:\windows\system32\qqdoxl.dll . ((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 ))))))))))))))))))))))))))))))) . 2009-03-02 22:31 . 2009-03-02 22:32 d-------- c:\windows\ERUNT 2009-03-02 20:54 . 2009-03-02 22:55 d-------- C:\SDFix 2009-03-01 22:25 . 2006-03-24 13:01 d-------- c:\documents and settings\Administrator\WINDOWS 2009-03-01 22:25 . 2006-03-24 13:57 d--h----- c:\documents and settings\Administrator\InstallAnywhere 2009-03-01 22:25 . 2006-03-24 11:57 d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver 2009-03-01 22:25 . 2006-03-24 13:56 d-------- c:\documents and settings\Administrator\Application Data\Leadertech 2009-03-01 22:25 . 2006-03-24 12:15 d-------- c:\documents and settings\Administrator\Application Data\IsolatedStorage 2009-03-01 22:25 . 2005-10-18 13:03 d-------- c:\documents and settings\Administrator\Application Data\Intel 2009-03-01 22:25 . 2006-02-15 02:03 d-------- c:\documents and settings\Administrator\Application Data\CyberLink 2009-03-01 22:25 . 2006-10-31 01:32 d-------- c:\documents and settings\Administrator\Application Data\AOL 2009-03-01 22:25 . 2006-03-24 13:43 d-------- c:\documents and settings\Administrator\Application Data\Allume Systems 2009-03-01 22:25 . 2006-03-24 12:10 d-------- c:\documents and settings\Administrator\Application Data\ACT 2009-03-01 22:25 . 2009-03-01 22:26 d-------- c:\documents and settings\Administrator . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-03 00:47 --------- d-----w c:\program files\Trend Micro 2009-02-15 16:18 --------- d-----w c:\program files\Google 2008-05-20 02:47 1,540 ----a-w c:\documents and settings\eileen\Application Data\wklnhst.dat 2006-06-24 07:17 1,890 --sha-w c:\windows\system32\KGyGaAvL.sys 2008-09-29 19:39 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092920080930\index.dat . ((((((((((((((((((((((((((((( [email protected]_ 0.49.32.89 ))))))))))))))))))))))))))))))))))))))))) . + 2009-03-03 19:11:22 79,872 --sha-w c:\windows\system32\bafekefe.dll + 2009-03-03 07:11:28 79,872 --sha-w c:\windows\system32\gunowini.dll + 2009-03-03 07:11:33 84,992 --sha-w c:\windows\system32\mirikiri.dll + 2009-03-03 19:11:20 84,992 --sha-w c:\windows\system32\zositene.dll + 2009-03-03 19:47:14 16,384 ----atw c:\windows\temp\Perflib_Perfdata_23c.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f7994b48-f54e-41b7-af81-b79cd479473a}] c:\windows\system32\wulibuli.dll [BU] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856] "PowerBar"="c:\program files\CyberLink\PowerStarter\PowerBar.exe" [2004-12-31 110592] "Power2GoExpress"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-07-27 729178] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "SMSI Loader"="c:\program files\Common Files\Smith Micro Shared\Fax\SMLoader.exe" [2004-10-12 32768] "SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152] "RestoreIT!"="c:\program files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE" [2005-02-15 114688] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 32768] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-03-24 26112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328] "PCPitstop Disk MD Registration Reminder"="c:\program files\PCPitstop\Disk MD\Reminder.exe" [2008-01-17 1012952] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393] "MotiveMonitor"="c:\program files\Motive\AsstCommon\motmon.exe" [2004-09-22 155648] "Motive SmartBridge"="c:\progra~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe" [2005-04-13 385024] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-06-01 401408] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-06-03 385024] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976] "EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2005-06-01 356352] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168] "ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968] "APL"="c:\program files\ACT\ACT for Win 7\APL.exe" [2005-05-24 20480] "A Verizon App"="c:\progra~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 50744] "SMSERIAL"="sm56hlpr.exe" [2005-05-26 c:\windows\sm56hlpr.exe] "RTHDCPL"="RTHDCPL.EXE" [2005-05-04 c:\windows\RTHDCPL.EXE] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] Digital Lifeline.lnk - c:\program files\Digital Lifeline\bin\mpbtn.exe [2006-04-01 172032] Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-04-15 819200] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2005-06-01 00:46 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM "VIDC.ACDV"= ACDV.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\ACT\\ACT for Win 7\\Act7.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"= R0 ptpd;Disk Filter Driver;c:\windows\system32\drivers\ptpd.sys [2005-08-16 6656] R0 RITCPT;RITCPT;c:\windows\system32\drivers\RITCPT.SYS [2006-04-04 43512] R0 VVBackd5;VVBackd5;c:\windows\system32\drivers\VVBackd5.sys [2006-06-23 179482] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-08-18 34312] R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-08-18 468224] R2 FBAPI;FBAPI;c:\windows\system32\drivers\FBAPI.sys [2005-08-26 5088] R2 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2005-08-26 2304] R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 [?] S3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [2005-08-26 45056] S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 [?] . Contents of the 'Scheduled Tasks' folder 2009-03-01 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . - - - - ORPHANS REMOVED - - - - BHO-{481e6f28-4631-431f-a294-37e9109ffdd8} - c:\windows\system32\qqdoxl.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://msn.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = 127.0.0.1;*.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML Trusted Zone: aol.com\free DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-03 14:50:08 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] "ThreadingModel"="Apartment" ="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,be,b2,da,62,08, 34,5b,07,c8,28,51,af,b0,29,a3,98,35,d7,10,2e,05,fb,a7,87,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] "ThreadingModel"="Apartment" ="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,0f,eb,74,0b,be, 15,bf,48,71,3b,04,66,8b,46,0d,96,24,d3,61,cd,4e,a2,34,75,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] "ThreadingModel"="Apartment" ="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,65,31,ac,d0,b8, f0,73,2c,25,da,ec,7e,55,20,c9,26,74,4b,01,81,07,51,fe,72,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] "ThreadingModel"="Apartment" ="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,14,fb,f9,ba,92,Download the OTMoveIt3 by OldTimer Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator. * Save it to your Desktop. * Double-click OTMoveIt3.exe to run it. * Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy) Code: [Select]:Processes explorer.exe :reg [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f7994b48-f54e-41b7-af81-b79cd479473a}] :files c:\windows\system32\wulibuli.dll :Commands [purity] [emptytemp] [start explorer] [Reboot] * Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste. * Click the red Moveit! button. * Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTMoveIt3 Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. ---------- Download Malwarebytes' Anti-Malware (MBAM)
---------- Also let me know how the computer is running now. hello! the pc is running back to normal, no redirecting or pop-ups! when i start up, a new screen opens--it's the screen b4 safe mode, then it goes to regular welcome screen--is it ok that happens? also can i re-install google toolbar after this is done, or should i stay away from it? thanks again! eileen OTMoveIt ========== PROCESSES ========== Process explorer.exe killed successfully. ========== REGISTRY ========== Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f7994b48-f54e-41b7-af81-b79cd479473a}\\ not found. ========== FILES ========== File/Folder c:\windows\system32\wulibuli.dll not found. ========== COMMANDS ========== User's Temp folder emptied. User's Temporary Internet Files folder emptied. User's Internet Explorer cache folder emptied. Local Service Temp folder emptied. File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. Local Service Temporary Internet Files folder emptied. File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_23c.dat scheduled to be deleted on reboot. Windows Temp folder emptied. Temp folders emptied. Explorer started successfully OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03032009_154730 Files moved on Reboot... File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot. File C:\WINDOWS\temp\Perflib_Perfdata_23c.dat not found! MBAMlog Malwarebytes' Anti-Malware 1.34 Database version: 1815 Windows 5.1.2600 Service Pack 3 3/3/2009 4:21:02 PM mbam-log-2009-03-03 (16-21-02).txt Scan type: Quick Scan Objects scanned: 68056 Time elapsed: 4 minute(s), 26 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f7994b48-f54e-41b7-af81-b79cd479473a} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{f7994b48-f54e-41b7-af81-b79cd479473a} (Trojan.Vundo.H) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Yes Google Toolbar is fine. The new screen is the Recovery Console installed by ComboFix.
The above procedure will:
---------- 1. Double click OTMoveIt3.exe to launch it. Vista users right click and choose Run As Administrator 2. Click on the CleanUp! button. 3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?) 5. Once complete exit out of OTMoveIt3 ---------- Use the Secunia Software Inspector to check for out of date software.
---------- Go to Microsoft Windows Update and get all critical updates. ---------- Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC. I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth. thank you so much evilfantasy!! i do have a few more questions for you... after i did the combofix /u, than the moveit clean up, it rebooted for me and i still had that screen when it restarted but the combofix desktop icon is gone. should i restart again to see if that page is totally gone? i don't mind that screen so is it ok if it stays? when i tried the Secunia Inspector it ran into java applet problem and is taking forever, seems like error with java? also what happened to ESET NOD32, why didn't it stop this? i do blame myself for this! maybe i don't have ESET configured properly? can you clarify that this was a virus, malware, adware/spyware or all of the above? i looked it up and i thought trojan vundo was a virus with all that junk rolled into it? sorry for al the noob questions and i assure you i will not click on anything that is not trusted, especially if it has to do with streaming MOVIES or music. i use amazon and itunes anyway, i tried morpheous and zone alarm saved me from a trojan! thanks again, you are invaluable! eileen |
|
| 507. |
Solve : someone help please? |
|
Answer» you have told me i have an infection and i did what you SAID i think |
|
| 508. |
Solve : Trying to remove malware but can't? |
|
Answer» Hi there- |
|
| 509. |
Solve : ok I did all the scans now what here are the logs? |
|
Answer» My computer was running real slow so I posted in a different area my hyjack this log the evil fantasy was nice enough to set me straight I have now downloaded and used all of the programs in the malware forum and here are my logs also my comp is still running slow I think there is alot more work to do so I just want to know what to do next thank you
[attachment deleted by admin]Well get it cleaned. Shouldn't be too hard now. Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there)
Important: Close all windows except for HijackThis and then click FIX checked. Exit HijackThis. Before we continue, did you set these desktop pictures? It's OK if you did I just need to know to remove them or not. Code: [Select]O24 - Desktop Component 0: (no name) - http://aosd.net/2005/local/photos/chicago/Buckingham_Night.jpg O24 - Desktop Component 1: (no name) - http://rds.yahoo.com/_ylt=A0Je5mwvtHBGjfQAGjWjzbkF/SIG=1286ofnfc/EXP=1181877679/**http%3A//www.eberelaw.com/pictures/chicagoSkyline4.jpg O24 - Desktop Component 2: (no name) - http://rds.yahoo.com/_ylt=A0WTbx6hFZVILF0ANXKjzbkF/SIG=126kfjg29/EXP=1217816353/**http%3A//www.solarnavigator.net/images/brad_pitt.jpg O24 - Desktop Component 3: (no name) - http://cdn.buzznet.com/media/jj1/2006/12/brad_pitt_birthday/brad-pitt-birthday-02.jpg O24 - Desktop Component 4: (no name) - http://www.celebrific.com/wp-content/uploads/2007/08/brad-pitt-new-orleans-8-22-07.jpg O24 - Desktop Component 5: (no name) - http://cdn.buzznet.com/media/jj1/2006/12/brad_pitt_birthday/brad-pitt-birthday-07.jpg O24 - Desktop Component 6: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image001.gifDownload the OTMoveIt3 by OldTimer Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator. * Save it to your Desktop. * Double-click OTMoveIt3.exe to run it. * Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy) Code: [Select]:Processes explorer.exe :reg [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "rtasks"=- [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{188b6971-2358-11dc-8037-000b5d502a78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{364ddba0-2a89-11dc-8042-000b5d502a78}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f3d1f49-6ff4-11dd-810c-000b5d502a78}] :files C:\WINDOWS\system32\SET2C.tmp C:\WINDOWS\system32\SET2B.tmp C:\WINDOWS\system32\SET30.tmp C:\WINDOWS\system32\SET24.tmp C:\WINDOWS\system32\SET3C.tmp C:\WINDOWS\system32\SET39.tmp C:\WINDOWS\system32\SET34.tmp C:\WINDOWS\system32\SET23.tmp C:\WINDOWS\system32\SET21.tmp C:\WINDOWS\system32\SET32.tmp :Commands [purity] [emptytemp] [start explorer] [Reboot] * Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste. * Click the red Moveit! button. * Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTMoveIt3 Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. ---------- Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFix ---------- Go to Add/Remove Programs and uninstall:
yes at least some of those were set on the computer by my wife we can remove them if you think it will help just let me know howhere are the logs and i removed the java [attachment deleted by admin]Looks OK now. How is the computer running?faster but it is still starting up slow shoukd i defrag ?Let's do some cleanup and then you can defrag.
. The above PROCEDURE will:
---------- 1. Double click OTMoveIt3.exe to launch it. Vista users right click and choose Run As Administrator 2. Click on the CleanUp! button. 3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?) 5. Once complete exit out of OTMoveIt3 ---------- Use the Secunia Software Inspector to check for out of date software.
---------- Go to Microsoft Windows Update and get all critical updates. ---------- Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC. I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, SPYWARE, spam, viruses and unreliable SHOPPING sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth. |
|
| 510. |
Solve : *censored* contentwatch error?!?!? |
|
Answer» I have no idea whats going on! I had netnanny installed (apparently thats what caused this?!) and i thought it would be good to have spyware doc. but i didnt know they could not work together so i no longer have netnanny thanks to the good docter but instead i have this annoying message "contentwatch error" and i cant get on the internet either!!!! please help me :[oh btw here is my log files...ugh I'm such a newb!!!
---------- Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there) - O4 - HKLM\..\Run: [Pbudoxepodatode] rundll32.exe \"C:\WINDOWS\Ixateduvakad.dll\",e - O4 - HKLM\..\Run: [Etitigaxe] rundll32.exe \"C:\WINDOWS\udijuyib.dll\",e - O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe Important: Close all windows except for HijackThis and then click Fix checked. Exit HijackThis. ---------- Go to Start > Run and type notepad.exe then click OK Copy and paste the below into Notepad and save as fixme.reg to Your Desktop Code: [Select]REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run] "Pbudoxepodatode"=- "Etitigaxe"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "system tool"=- Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry. Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work. Delete the fixme.reg from the Desktop. ---------- Reboot the computer. You should be able to connect to the Internet now, if not then let me know. Download random's system information tool (RSIT) by random/random from and save it to your Desktop.
here is #1 info.txt logfile of random's system information tool 1.05 2009-03-02 17:57:57 ======Uninstall list====== -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003} Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log ANIO Service-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe" ANIWZCS2 Service-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe" Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe" FA Addition Subtraction-->C:\WINDOWS\unvise32.exe C:\Program Files\sz8022\uninstal.log HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall HP Color LaserJet 3600-->"C:\Program Files\Hewlett-Packard\Install Engines\HP Color LaserJet 3600\setup.exe" /x HP Color LaserJet 3600-->msiexec /x{EED52BB5-3A22-42F2-9B76-BB743F6739B7} Intel(R) Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572 Intel(R) PRO Network Connections Drivers-->Prounstl.exe Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe" Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe" Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9} Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe" SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003} Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe" Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe" Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" Wireless G WDA-1320-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{D3815721-7859-40E2-846A-0C9461BDCD8D} =====HijackThis Backups===== O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Pbudoxepodatode] rundll32.exe "C:\WINDOWS\Ixateduvakad.dll",e O4 - HKLM\..\Run: [Etitigaxe] rundll32.exe "C:\WINDOWS\udijuyib.dll",e O4 - HKLM\..\Run: [Etitigaxe] rundll32.exe "C:\WINDOWS\udijuyib.dll",e System event log Computer Name: DUKE Event Code: 7035 Message: The SSDP Discovery Service service was successfully sent a start control. Record Number: 1059 Source Name: Service Control Manager Time Written: 20081014182805.000000-300 Event Type: information User: NT AUTHORITY\SYSTEM Computer Name: DUKE Event Code: 7035 Message: The Network Location Awareness (NLA) service was successfully sent a start control. Record Number: 1058 Source Name: Service Control Manager Time Written: 20081014182805.000000-300 Event Type: information User: DUKE\Administrator Computer Name: DUKE Event Code: 7035 Message: The IMAPI CD-Burning COM Service service was successfully sent a start control. Record Number: 1057 Source Name: Service Control Manager Time Written: 20081014182805.000000-300 Event Type: information User: NT AUTHORITY\SYSTEM Computer Name: DUKE Event Code: 7036 Message: The Fast User Switching Compatibility service entered the running state. Record Number: 1056 Source Name: Service Control Manager Time Written: 20081014182805.000000-300 Event Type: information User: Computer Name: DUKE Event Code: 7035 Message: The Fast User Switching Compatibility service was successfully sent a start control. Record Number: 1055 Source Name: Service Control Manager Time Written: 20081014182805.000000-300 Event Type: information User: NT AUTHORITY\SYSTEM Application event log Computer Name: HOME-EBE3532D2A Event Code: 103 Message: wuaueng.dll (476) SUS20ClientDataStore: The database engine stopped the instance (0). Record Number: 42 Source Name: ESENT Time Written: 20080318111313.000000-360 Event Type: information User: Computer Name: HOME-EBE3532D2A Event Code: 102 Message: wuaueng.dll (476) SUS20ClientDataStore: The database engine started a new instance (0). Record Number: 41 Source Name: ESENT Time Written: 20080318110812.000000-360 Event Type: information User: Computer Name: HOME-EBE3532D2A Event Code: 100 Message: wuauclt (476) The database engine 5.01.2600.2180 started. Record Number: 40 Source Name: ESENT Time Written: 20080318110812.000000-360 Event Type: information User: Computer Name: HOME-EBE3532D2A Event Code: 1800 Message: The Windows Security Center Service has started. Record Number: 39 Source Name: SecurityCenter Time Written: 20080318110734.000000-360 Event Type: information User: Computer Name: HOME-EBE3532D2A Event Code: 1002 Message: Hanging application RCDMENU.EXE, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Record Number: 38 Source Name: Application Hang Time Written: 20080318105432.000000-360 Event Type: error User: ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem "windir"=%SystemRoot% "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_LEVEL"=15 "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel "PROCESSOR_REVISION"=0209 "NUMBER_OF_PROCESSORS"=1 "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "CWALTAHOME"=C:\Program Files\ContentWatch -----------------EOF----------------- and #2 Logfile of random's system information tool 1.05 (written by random/random) Run by Administrator at 2009-03-02 17:57:52 Microsoft Windows XP Professional Service Pack 3, v.3264 System drive C: has 32 GB (84%) free of 38 GB Total RAM: 510 MB (65% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:57:55 PM, on 3/2/2009 Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\wscntfy.exe E:\RSIT.exe C:\Program Files\Trend Micro\HijackThis\Administrator.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe O4 - HKLM\..\Run: [Etitigaxe] rundll32.exe "C:\WINDOWS\udijuyib.dll",e O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205861787328 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214593856200 O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 3312 bytes ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792] "D-Link Wireless G WDA-1320"=C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe [2006-11-15 1880064] "ANIWZCS2Service"=C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe [2006-06-29 49152] "Etitigaxe"=C:\WINDOWS\udijuyib.dll [2009-02-20 134144] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2007-12-01 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\WINDOWS\system32\igfxdev.dll [2005-09-20 135168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:xpsp3res.dll,-20000" "C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:xpsp2res.dll,-22019" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:xpsp3res.dll,-20000" ======File associations====== .ini - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1 .txt - open - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1 ======List of files/folders created in the last 1 months====== 2009-03-02 17:57:52 ----D---- C:\rsit 2009-02-26 19:33:21 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes 2009-02-26 19:33:13 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2009-02-26 17:39:18 ----D---- C:\Program Files\Trend Micro 2009-02-26 17:27:00 ----D---- C:\WINDOWS\CSC 2009-02-26 17:26:52 ----A---- C:\WINDOWS\ntbtlog.txt 2009-02-25 18:55:14 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP 2009-02-25 18:55:00 ----D---- C:\Program Files\Spyware Doctor 2009-02-20 14:33:41 ----A---- C:\WINDOWS\udijuyib.dll 2009-02-20 14:21:21 ----A---- C:\WINDOWS\Ixateduvakad.dll ======List of files/folders modified in the last 1 months====== 2009-03-02 17:57:39 ----D---- C:\WINDOWS\Prefetch 2009-03-02 17:57:35 ----D---- C:\WINDOWS\system32\CatRoot2 2009-03-02 17:55:21 ----A---- C:\WINDOWS\SchedLgU.Txt 2009-02-27 16:00:35 ----D---- C:\Program Files\Common Files 2009-02-27 16:00:34 ----RD---- C:\Program Files 2009-02-27 15:59:19 ----D---- C:\WINDOWS\system32\drivers 2009-02-27 15:46:51 ----D---- C:\WINDOWS\system32 2009-02-27 14:39:47 ----SHD---- C:\WINDOWS\Installer 2009-02-27 00:38:33 ----D---- C:\WINDOWS\Temp 2009-02-26 19:54:19 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$ 2009-02-26 19:54:15 ----HDC---- C:\WINDOWS\ie7 2009-02-26 19:54:08 ----D---- C:\WINDOWS\system32\en-us 2009-02-26 19:51:23 ----D---- C:\WINDOWS 2009-02-26 16:42:25 ----RSHDC---- C:\WINDOWS\system32\dllcache 2009-02-26 16:41:56 ----D---- C:\WINDOWS\system32\NtmsData 2009-02-26 16:38:16 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft 2009-02-26 15:58:27 ----D---- C:\WINDOWS\system32\Restore ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2007-11-30 36352] R1 OMCI;OMCI; \??\C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [] R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032] R2 ANIO;ANIO Service; \??\C:\WINDOWS\system32\ANIO.SYS [] R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB); C:\WINDOWS\system32\DRIVERS\A3AB.sys [2006-10-15 472832] R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816] R3 E1000;Intel(R) PRO/1000 Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1000325.sys [2005-06-29 163840] R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-09-20 1302332] R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-05-06 580992] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2007-11-30 30208] R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2007-11-30 59520] R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2007-11-30 26368] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2007-11-30 20608] S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2007-11-30 14592] S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504] S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752] S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2007-11-30 10368] S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160] S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120] R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2005-03-14 69632] S2 ANIWZCSdService;ANIWZCSd Service; C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe [2006-07-03 49152] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136] S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408] S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2007-12-01 14336] -----------------EOF----------------- ps: i noticed that this one "O4 - HKLM\..\Run: [Etitigaxe] rundll32.exe \"C:\WINDOWS\udijuyib.dll\",e " wont stay dead :/ thankyou anyways :]Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there) - O4 - HKLM\..\Run: [Etitigaxe] rundll32.exe \"C:\WINDOWS\udijuyib.dll\",e Important: Close all windows except for HijackThis and then click Fix checked. Exit HijackThis. ---------- Go to Start > Run and type notepad.exe then click OK Copy and paste the below into Notepad and save as fixme.reg to Your Desktop Code: [Select]REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Etitigaxe"=- Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry. Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work. Delete the fixme.reg from the Desktop. ---------- Look for and delete these two files (if found). C:\WINDOWS\udijuyib.dll C:\WINDOWS\Ixateduvakad.dll ---------- Go Start > Run (Start search in Vista) then type in: cmd Click OK (in Vista, while holding CTRL, and SHIFT, press Enter). At the Command Prompt, type in: netsh winsock RESET catalog On the keyboard press Enter. Do that again and type in: netsh int ip reset reset.log Press Enter. Restart the computer. Note: Resetting the Winsock using netsh winsock reset catalog command in SP2 removes all the third-party LSPs and restores Winsock to factory default setting. Existing programs that uses their own LSPs need to be reinstalled again. Example: Google Desktop Search. ---------- Go Start > Run (Start search in Vista) and type in: cmd Click OK (in Vista, while holding CTRL, and SHIFT, press Enter). In the Command Prompt window type in following commands, and press Enter after each one: ipconfig /flushdns ipconfig /registerdns ipconfig /release ipconfig /renew Note the space before the forward slash / Restart the computer. ---------- Is the connection back? the fixme.reg was a success but after the rest of the steps --> no connection :[ i got another log just incase Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:22:12 PM, on 3/2/2009 Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\wscntfy.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205861787328 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214593856200 O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe -- End of file - 3068 bytes Have you tried resetting your router? Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFixI got a message about having a windows recovery console but i need the internet to download it... what should i do Just skip the Recovery Console.ok I skipped the recovery thing and here is the log: ComboFix 09-03-02.01 - Administrator 2009-03-03 16:35:42.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.342 [GMT -6:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 ))))))))))))))))))))))))))))))) . 2009-03-02 17:57 . 2009-03-02 17:57 d-------- C:\rsit 2009-02-26 19:33 . 2009-02-26 19:33 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-26 19:33 . 2009-02-26 19:33 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-02-26 17:39 . 2009-02-26 17:39 d-------- c:\program files\Trend Micro 2009-02-25 19:06 . 2009-02-25 19:06 d-------- c:\documents and settings\LocalService\ContentWatch 2009-02-25 19:02 . 2009-02-25 19:02 d-------- c:\documents and settings\Administrator\ContentWatch 2009-02-25 18:55 . 2009-02-27 16:00 d-------- c:\program files\Spyware Doctor 2009-02-25 18:55 . 2009-02-27 15:59 d-a------ c:\documents and settings\All Users\Application Data\TEMP . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-12-01 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "D-Link Wireless G WDA-1320"="c:\program files\D-Link\Wireless G WDA-1320\AirGCFG.exe" [2006-11-15 1880064] "ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-29 49152] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2006-10-15 472832] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-03 16:36:43 Windows 5.1.2600 Service Pack 3, v.3264 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2009-03-03 16:37:47 ComboFix-quarantined-files.txt 2009-03-03 22:37:43 Pre-Run: 33,421,389,824 bytes free Post-Run: 33,582,321,664 bytes free 57 --- E O F --- 2008-09-12 01:39:15 Did the internet connection come back? Do you know what this is? 2009-02-25 19:06 . 2009-02-25 19:06 d-------- c:\documents and settings\LocalService\ContentWatch 2009-02-25 19:02 . 2009-02-25 19:02 d-------- c:\documents and settings\Administrator\ContentWatchnope I have noooo idea how to get my internet connection back :/ and I think content watch is some how connected with net nanny which i no longer have thanks to spyware doctor ... and i used to keep getting an error message saying something about content watch oh btw I tried to "repair" the internet connection but it said it couldnt renew the ip address Can you reinstall your router? Do you have your XP CD? |
|
| 511. |
Solve : Please someone help???? |
|
Answer» My PC will turn itself of when IM running a scan or running a full window programme, i just can't seem to fix it. Has anyone GOT any ideas? Here is the log of hijack this if this will help: |
|
| 512. |
Solve : Had trouble with trail version of new kaspisky secuitry suite? |
|
Answer» This morning i am looking for a new security suite i have tried zone alarm bu tthe reviews were bad so i thought i try KASPSKY for the first time after i installed it i restarted the computer when i got to where i have password to log on i just shut down & restarted again i started it up in safe mode tried 2 remove the promgram but nothing so in the end i had to restore from a point before i had put this program on . I am RUNNING vista home basic |
|
| 513. |
Solve : Warning to all Firefox users! Microsfot!? |
|
Answer» This is a NEW item, but it NEEDS to be seen by users who don't read the news. February 27, 2009 - Warning to all Firefox users: the Microsoft .NET Framework 3.5 Service Pack 1 update, pushed through the Windows Update service to all recent editions of Windows, installs the Microsoft .NET Framework ASSISTANT firefox extension without asking your permission. This update adds to Firefox one of the most dangerous VULNERABILITIES present in all versions of Internet Explorer... http://www.annoyances.org/ |
|
| 514. |
Solve : Can't install SuperAntiSpyware Free Edition...? |
|
Answer» Hello there! I read through the "Read this before requesting help..." and got to the SAS part. I downloaded it to my desktop, but when I click the icon, it says there is an error and it needs to close.
Open the SDFix folder and double click RunThis.bat to start the script.
Try booting into Safe Mode and install then run it. You won't be able to update it but it should be OK as is for now.When I try to log on to Windows in safe mode, it tells me my username/pwd is incorrect and it can't log me on. But, if I just log on normally, it's fine. Am I missing something? Thank you so much for all your help!Try downloading and run MBAM from here http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html Post the log it creates. |
|
| 515. |
Solve : hacked msn messenger? |
|
Answer» someone is hacking into my MSN messenger, but how is this possible (when i'm currently signed in) ? this occurred in the passed days. Please HELP!!!! the person is really SICK , they are leaving very disturbing messages, fulled it PROFANITY and ruled comments for my friends . I think we need to know exactly what his GUY is sending to your friends.... |
|
| 516. |
Solve : How do I know if I have a RAT?? |
|
Answer» I received an evil e-mail that was opened by an unsuspecting family member and now I don't know what to do.
Malwarebyte's found 3 trojan vundos. Here is that log: Malwarebytes' Anti-Malware 1.20 Database version: 941 Windows 5.1.2600 Service Pack 3 4:05:38 PM 2/5/2009 mbam-log-2-5-2009 (16-05-38).txt Scan type: Quick Scan Objects scanned: 47300 Time elapsed: 7 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 I was CONCERNED that this so-called RAT was possibly undetected. I will post the other requests in two separate posts. They are too long for one. log file: Logfile of random's system information tool 1.05 (written by random/random) Run by airhalling at 2009-02-05 16:42:10 Microsoft Windows XP Professional Service Pack 3 System drive C: has 58 GB (77%) free of 76 GB Total RAM: 1015 MB (45% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:42:16 PM, on 2/5/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Rhapsody\rhaphlpr.exe c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\airhalling\Desktop\RSIT.exe C:\Program Files\Trend Micro\HijackThis\airhalling.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=20011&l=dis R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:/Documents and Settings/airhalling/My Documents/My Music/Temp/Tunebite/.downloading/profile/rrproxy_ie_49791246.pac R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Tunebite_WebRipPlugin Class - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - C:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe O4 - HKCU\..\Run: [RegistryCleanerProMFCT] C:\Program Files\RegistryCleanerPro\RegistryCleanerPro.exe O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe O4 - Global Startup: PowerReg Scheduler.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing) O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (HKCU) O15 - Trusted Zone: http://*.mcafee.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx O20 - AppInit_DLLs: xooqxv.dll yuvgjm.dll spixsm.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O24 - Desktop Component 0: (no name) - C:\Documents and Settings\airhalling\My Documents\My Pictures\Yosemite.jpg -- End of file - 7969 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\Tune-up Application Start.job C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job C:\WINDOWS\tasks\Symantec NetDetect.job C:\WINDOWS\tasks\McQcTask.job C:\WINDOWS\tasks\McDefragTask.job C:\WINDOWS\tasks\odwguswb.job ======Registry dump====== still too long, see next post...rest of log... ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}] Yahoo! Companion BHO - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL [2005-03-04 327246] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] AskBar BHO - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-07-17 279944] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}] RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-09-24 308832] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}] C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2004-05-12 744960] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] SSVHelper Class - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll [2007-07-12 501136] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA102584-3B97-47e7-B9BC-75D54C110A7D}] Tunebite_WebRipPlugin Class - C:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll [2008-09-15 144688] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL [2005-03-04 327246] {3041d03e-fd4b-44e0-b742-2d9b88305f98} - Ask Toolbar - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-07-17 279944] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-11-28 98304] "igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-11-28 77824] "igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-11-28 118784] "QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2007-06-29 286720] "mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2007-11-01 582992] "TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-09-24 185872] "SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe [2007-07-12 132496] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"=C:\Program Files\MSN Messenger\msnmsgr.exe [2005-06-14 6856704] "MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360] "MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe [2008-12-12 9555968] "RegistryCleanerProMFCT"=C:\Program Files\RegistryCleanerPro\RegistryCleanerPro.exe [2008-09-16 13422592] C:\Documents and Settings\All Users\Start Menu\Programs\Startup America Online 8.0 Tray Icon.lnk - C:\Program Files\America Online 8.0\aoltray.exe PowerReg Scheduler.exe Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="xooqxv.dll yuvgjm.dll spixsm.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\WINDOWS\system32\igfxdev.dll [2005-11-28 135168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "notification packages"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll, [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:xpsp2res.dll,-22019" "C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe"="C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:xpsp3res.dll,-20000" "C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent" "C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0" "C:\WINDOWS\EXPLORER.EXE"="C:\WINDOWS\EXPLORER.EXE:*:Enabled:Windows Explorer" "C:\Program Files\MySpace\IM\MySpaceIM.exe"="C:\Program Files\MySpace\IM\MySpaceIM.exe:*:Enabled:MySpaceIM" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:xpsp3res.dll,-20000" "C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0" ======File associations====== .reg - open - regedit.exe "%1" %* .scr - open - "%1" %* ======List of files/folders created in the last 1 months====== 2009-02-05 16:42:10 ----D---- C:\rsit 2009-01-30 15:43:56 ----D---- C:\Program Files\AskBarDis 2009-01-28 17:57:36 ----D---- C:\Program Files\A360 2009-01-26 16:11:36 ----ASH---- C:\WINDOWS\system32\yJikmUvw.ini2 2009-01-26 16:11:36 ----ASH---- C:\WINDOWS\system32\yJikmUvw.ini 2009-01-25 14:21:02 ----ASH---- C:\WINDOWS\system32\mnVxayxx.ini2 2009-01-25 14:21:02 ----ASH---- C:\WINDOWS\system32\mnVxayxx.ini 2009-01-15 03:01:41 ----HD---- C:\WINDOWS\$NtUninstallKB958687$ 2009-01-13 20:12:37 ----D---- C:\Program Files\NOS 2009-01-13 20:12:37 ----D---- C:\Documents and Settings\All Users\Application Data\NOS ======List of files/folders modified in the last 1 months====== 2064-04-14 12:20:40 ----D---- C:\WDSTW 2009-02-05 14:44:26 ----A---- C:\WINDOWS\LEXSTAT.INI 2009-02-01 14:26:18 ----A---- C:\WINDOWS\system32\4b5ea7be-.txt 2009-01-23 18:19:32 ----A---- C:\WINDOWS\SchedLgU.Txt 2009-01-09 19:35:28 ----A---- C:\WINDOWS\system32\MRT.exe ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 DcCam;Kodak Camera Proxy; C:\WINDOWS\system32\DRIVERS\DcCam.sys [2004-05-20 36918] R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352] R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320] R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952] R2 DCFS2K;Kodak DCFS2K Driver; C:\WINDOWS\system32\drivers\dcfs2k.sys [2004-06-02 38705] R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384] R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368] R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-11-28 1353820] R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-11-15 4225920] R3 IntelC51;IntelC51; C:\WINDOWS\system32\DRIVERS\IntelC51.sys [2003-05-16 2202674] R3 IntelC52;IntelC52; C:\WINDOWS\system32\DRIVERS\IntelC52.sys [2003-05-16 451625] R3 IntelC53;IntelC53; C:\WINDOWS\system32\DRIVERS\IntelC53.sys [2003-05-16 29541] R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304] R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240] R3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832] R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488] R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128] R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-12-14 85120] R3 tbhsd;Tunebite High-Speed Dubbing; C:\WINDOWS\system32\drivers\tbhsd.sys [2008-09-15 43552] R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208] R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520] R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608] R3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528] R3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] S1 Exportit;Exportit; C:\WINDOWS\system32\DRIVERS\exportit.sys [2004-06-02 151985] S2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [] S3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\system32\DRIVERS\ctljystk.sys [2001-08-17 3712] S3 DcFpoint;DcFpoint; C:\WINDOWS\system32\DRIVERS\DcFpoint.sys [2004-05-20 61564] S3 DcLps;Legacy Polling Service; C:\WINDOWS\system32\DRIVERS\DcLps.sys [2004-05-20 8022] S3 DcPTP;dcptp; C:\WINDOWS\system32\DRIVERS\DcPTP.sys [2004-05-20 68950] S3 EL90X;3Com EtherLink XL 90X Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xnd5.sys [] S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys [] S3 NtApm;NT Apm/Legacy INTERFACE Driver; C:\WINDOWS\system32\DRIVERS\NtApm.sys [2006-02-28 9344] S3 S3SAVAGE4M;S3SAVAGE4M; C:\WINDOWS\system32\DRIVERS\s3sav4m.sys [2001-08-17 77824] S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-08-15 106496] R2 KodakCCS;Kodak Camera Connection Software; C:\WINDOWS\system32\drivers\KodakCCS.exe [2004-05-24 322104] R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2004-01-13 311296] R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976] R2 McNASvc;McAfee Network Agent; c:\program files\common files\mcafee\mna\mcnasvc.exe [2008-01-25 2458128] R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248] R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2007-07-24 144704] R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864] R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336] R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768] S3 getPlus(R) Helper;getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752] S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184] S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408] -----------------EOF----------------- info file: info.txt logfile of random's system information tool 1.05 2009-02-05 16:42:20 ======Uninstall list====== -->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 -->C:\Program Files\Creative\SBLive\PROGRAM\CTZAPDEV.EXE -->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\AudioHQ.isu" -->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Launcher\Launcher.isu" -->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Recorder\Recorder.isu" -->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\SurMixer.isu" -->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Uninstall\Installer.isu" -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adaptec DirectCD-->C:\WINDOWS\uninst.exe -fc:\progra~1\cd-wri~1\directcd\DeIsL2.isu -c"c:\progra~1\cd-wri~1\directcd\\Dcduhlp.dll" Ad-Aware SE Personal-->C:\PROGRA~1\LAVASOFT\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\INSTALL.LOG Adobe Atmosphere Player for Acrobat and Adobe Reader-->C:\WINDOWS\atmoUn.exe Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Shockwave Player-->C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\MACROMED\SHOCKW~2\Install.log America Online-->C:\Program Files\Common Files\aolshare\Aolunins_us.exe AOL Coach Version 1.0(Build:20020823.1)-->C:\WINDOWS\AolCInUn.exe Ask Toolbar-->"C:\Program Files\AskBarDis\unins000.exe" Belarc Advisor 7.0-->C:\PROGRA~1\BELARC\ADVISOR\Uninstall.exe C:\PROGRA~1\BELARC\ADVISOR\INSTALL.LOG CD-Writer Plus software-->C:\Program Files\CD-Writer Plus\hpremove.exe Chutes and Ladders-->C:\WINDOWS\uninst.exe -f"C:\Program Files\Hasbro Interactive\Chutes\DeIsL1.isu" Comcast High-Speed Internet Install Wizard-->C:\Program Files\support.com\uninstall\chsi_uninstaller.exe High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe" HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe" Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe" Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe" Intel(R) Graphics Media Accelerator Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772 Kodak EasyShare software-->C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_9_14d8e\Setup.exe /APR-REMOVE Lexmark 4200 Series-->C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBMUN5C.EXE -dLexmark 4200 Series LiveUpdate 2.0 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" MathPlayer-->C:\Program Files\Design Science\MathPlayer\Setup.exe -u McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp" Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft IntelliType Pro-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft Hardware\Keyboard\Uninst.isu" -c"C:\Program Files\Microsoft Hardware\Keyboard\sutils.dll" Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe" Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe" Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP MySpaceIM-->C:\Program Files\MySpace\IM\Uninstall.exe PartyPokerNet-->"C:\Program Files\PartyGaming.Net\PartyPokerNet\Uninstall.exe" "C:\Program Files\PartyGaming.Net\PartyPokerNet\install.log" PokerStars.net-->"C:\Program Files\PokerStars.NET\PokerStarsUninstall.exe" /u:PokerStars.net PokerStars-->C:\Program Files\PokerStars\Uninstall.EXE /u:"PokerStars" RealArcade-->C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2 RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 RegistryCleanerPro 1.0-->C:\Program Files\RegistryCleanerPro\uninst.exe Roxio UDF Reader-->C:\WINDOWS\SYSTEM32\udfrunin.exe Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe" Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe" Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe" Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe" Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe" Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe" Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe" Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe" Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe" Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe" Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe" Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe" Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe" Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe" Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe" Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe" Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe" Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe" Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe" Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe" Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe" Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe" Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe" Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe" Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe" Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe" Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe" Sound Blaster Live! Value-->C:\Program Files\Creative\Uninstall\CTUNINST.EXE /U:UNINST1.INI Spybot - Search & Destroy 1.3-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe" TaxCut Standard 2005-->C:\PROGRA~1\TaxCut05\Program\removetc.exe Uninstall InControl Tools 99-->C:\Program Files\Diamond\Setup99\install.exe -uh Unity Web Player-->C:\Program Files\Unity\WebPlayer\Uninstall.exe Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe" Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe" Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe" Westwood Shared Internet Components-->C:\Westwood\Internet\UnstllAP.EXE Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe" Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" WinZip-->"C:\PROGRAM FILES\WINZIP\WINZIP32.EXE" /uninstall ======Security center information====== AV: McAfee VirusScan FW: McAfee Personal Firewall System event log Computer Name: PII300MHZ Event Code: 36 Message: The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized. Record Number: 10653 Source Name: W32Time Time Written: 20080806001117.000000-300 Event Type: warning User: Computer Name: PII300MHZ Event Code: 7036 Message: The IMAPI CD-Burning COM Service service entered the stopped state. Record Number: 10652 Source Name: Service Control Manager Time Written: 20080805210439.000000-300 Event Type: information User: Computer Name: PII300MHZ Event Code: 7036 Message: The IMAPI CD-Burning COM Service service entered the running state. Record Number: 10651 Source Name: Service Control Manager Time Written: 20080805210429.000000-300 Event Type: information User: Computer Name: PII300MHZ Event Code: 7035 Message: The IMAPI CD-Burning COM Service service was successfully sent a start control. Record Number: 10650 Source Name: Service Control Manager Time Written: 20080805210428.000000-300 Event Type: information User: NT AUTHORITY\SYSTEM Computer Name: PII300MHZ Event Code: 7036 Message: The IMAPI CD-Burning COM Service service entered the stopped state. Record Number: 10649 Source Name: Service Control Manager Time Written: 20080805103708.000000-300 Event Type: information User: Application event log Computer Name: PII300MHZ Event Code: 5000 Message: McShield service started. Engine version : 5300.2777 DAT version : 5478.0000 Number of signatures in EXTRA.DAT : None Names of threats that EXTRA.DAT can detect : None Record Number: 6712 Source Name: McLogEvent Time Written: 20081229221153.000000-360 Event Type: information User: NT AUTHORITY\SYSTEM Computer Name: PII300MHZ Event Code: 1000 Message: Faulting application firefox.exe, version 1.9.0.3257, faulting module unknown, version 0.0.0.0, fault address 0x1000cea6. Record Number: 6711 Source Name: Application Error Time Written: 20081224194653.000000-360 Event Type: error User: Computer Name: PII300MHZ Event Code: 5000 Message: McShield service started. Engine version : 5300.2777 DAT version : 5474.0000 Number of signatures in EXTRA.DAT : None Names of threats that EXTRA.DAT can detect : None Record Number: 6710 Source Name: McLogEvent Time Written: 20081224194600.000000-360 Event Type: information User: NT AUTHORITY\SYSTEM Computer Name: PII300MHZ Event Code: 7 Message: Successful auto update retrieval of third-party root list sequence number from: Record Number: 6709 Source Name: crypt32 Time Written: 20081223211642.000000-360 Event Type: information User: Computer Name: PII300MHZ Event Code: 5000 Message: McShield service started. Engine version : 5300.2777 DAT version : 5473.0000 Number of signatures in EXTRA.DAT : None Names of threats that EXTRA.DAT can detect : None Record Number: 6708 Source Name: McLogEvent Time Written: 20081223173336.000000-360 Event Type: information User: NT AUTHORITY\SYSTEM ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM;%SYSTEMROOT%\COMMAND;C:\Program Files\QuickTime\QTSystem\ "windir"=C:\WINDOWS "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_LEVEL"=15 "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 9, GenuineIntel "PROCESSOR_REVISION"=0409 "NUMBER_OF_PROCESSORS"=1 "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "TEMP"=C:\WINDOWS\TEMP "TMP"=C:\WINDOWS\TEMP "winbootdir"=C:\WINDOWS "PROMPT"=$p$g "BLASTER"=A220 I7 D1 H5 P330 T6 "CLASSPATH"=.;C:\Program Files\Java\jre1.5.0\lib\ext\QTJava.zip "QTJAVA"=C:\Program Files\Java\jre1.5.0\lib\ext\QTJava.zip -----------------EOF----------------- Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there) - R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=20011&l=dis - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll - O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll - O4 - HKCU\..\Run: [RegistryCleanerProMFCT] C:\Program Files\RegistryCleanerPro\RegistryCleanerPro.exe <-This is a rouge tool. - O4 - Global Startup: PowerReg Scheduler.exe - O20 - AppInit_DLLs: xooqxv.dll yuvgjm.dll spixsm.dll Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- Go to Add/Remove Programs and uninstall:
---------- Download Lop S&D by Eric_71 and save it to your Desktop. Lop S&D will only run on Windows XP and Windows Vista Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.
I did not remove spybot. I realize it is old. My question though is that is gave me a message about removing the program and having some issues with quarantined files. I will post that later since I didn't write it down exactly. Here is the result of the Lop S&D. Looks like my vundo isn't gone. --------------------\\ Lop S&D 4.2.5-0 XP/Vista Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3 X86-based PC ( Uniprocessor Free : Intel(R) Celeron(R) CPU 2.66GHz ) BIOS : Award Modular BIOS v6.00PG USER : airhalling ( Administrator ) BOOT : Normal boot Antivirus : McAfee VirusScan (Activated) Firewall : McAfee Personal Firewall (Activated) A:\ (USB) C:\ (Local Disk) - FAT32 - Total:74 Go (Free:56 Go) E:\ (CD or DVD) "C:\Lop SD" ( MAJ : 19-12-2008|23:40 ) Option : [1] ( Fri 02/06/2009|21:12 ) --------------------\\ Listing folders in APPLIC~1 [07/20/2007|10:44] C:\DOCUME~1\DEFAUL~1\APPLIC~1\ Microsoft [07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ 4200Series [05/27/2008|07:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Adobe [07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ AOL [08/19/2007|06:17] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Apple [08/19/2007|06:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Apple Computer [07/11/2008|09:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Citrix [07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Kodak [07/11/2008|10:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Malwarebytes [08/24/2007|02:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ McAfee [07/20/2007|10:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Microsoft [07/20/2007|11:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ MSN6 [01/13/2009|08:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ NOS [07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ QuickTime [09/26/2008|08:21] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ RapidSolution [07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Spybot - Search & Destroy [08/10/2007|11:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Support.com [07/20/2007|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Symantec [07/20/2007|11:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Trymedia [07/20/2007|11:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Viewpoint [01/03/2008|08:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Windows Genuine Advantage [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ 4200Series [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Adobe [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ AdobeUM [09/07/2007|09:26] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Apple [08/19/2007|06:16] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Apple Computer [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ ApplicationHistory [07/11/2008|09:11] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Citrix [01/09/2008|10:48] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ FunWebProducts [11/29/2008|04:42] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Google [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Identities [07/21/2007|04:00] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ InstallShield [08/19/2007|06:23] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Lavasoft [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Macromedia [07/11/2008|10:08] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Malwarebytes [07/11/2008|09:00] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ McAfee [07/20/2007|10:44] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Microsoft [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Microsoft Web Folders [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Mozilla [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ MSN6 [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ MSNInstaller [08/29/2008|03:32] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ MySpace [05/27/2008|07:50] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ NOS [09/26/2008|08:26] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ RapidSolution [12/25/2007|12:39] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Real [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Snapfish [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Sun [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Support.com [03/30/2008|03:43] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ SupportSoft [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Talkback [07/16/2008|11:36] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Unity [10/23/2007|01:40] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Viewpoint [07/20/2007|11:27] C:\DOCUME~1\AIRHAL~1\APPLIC~1\ Wildfire [08/24/2007|02:10] C:\DOCUME~1\NETWOR~1\APPLIC~1\ Apple [07/20/2007|10:44] C:\DOCUME~1\NETWOR~1\APPLIC~1\ Microsoft [07/16/2008|12:11] C:\DOCUME~1\LOCALS~1\APPLIC~1\ Help [07/20/2007|10:44] C:\DOCUME~1\LOCALS~1\APPLIC~1\ Microsoft --------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks [02/05/2009 11:00 PM][--a------] C:\WINDOWS\tasks\odwguswb.job [01/15/2009 02:18 AM][--a------] C:\WINDOWS\tasks\McDefragTask.job [02/01/2009 01:00 AM][--a------] C:\WINDOWS\tasks\McQcTask.job [02/06/2009 04:52 PM][--a------] C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job [02/04/2009 11:00 PM][--a------] C:\WINDOWS\tasks\Tune-up Application Start.job [06/08/2000 05:00 PM][-r-h-----] C:\WINDOWS\tasks\DESKTOP.INI [01/30/2009 08:22 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT --------------------\\ Listing Folders in C:\Program Files [01/28/2009|05:57] C:\Program Files\ A360 [02/14/2005|04:00] C:\Program Files\ ABBYY FineReader 5.0 Sprint [02/14/2005|04:00] C:\Program Files\ ABBYY FineReader 6.0 [01/01/1998|12:06] C:\Program Files\ Accessories [02/03/2006|03:11] C:\Program Files\ Actiontec [01/31/2002|02:41] C:\Program Files\ Adaptec [01/01/1998|12:32] C:\Program Files\ Adobe [09/22/2001|07:41] C:\Program Files\ AIM95 [11/05/2002|08:10] C:\Program Files\ America Online 8.0 [11/05/2002|08:20] C:\Program Files\ AOL Companion [01/31/2002|09:10] C:\Program Files\ Audiogalaxy Satellite [07/06/2005|10:24] C:\Program Files\ Belarc [09/02/2008|03:09] C:\Program Files\ Best Buy Digital Music Store Powered by Rhapsody [12/25/2007|12:39] C:\Program Files\ Best Buy Rhapsody [02/01/2007|05:24] C:\Program Files\ BFG [01/01/1998|10:35] C:\Program Files\ CD-Writer Plus [01/01/1998|12:06] C:\Program Files\ CHAT [01/01/1998|12:06] C:\Program Files\ Common Files [07/20/2007|11:03] C:\Program Files\ ComPlus Applications [01/01/1998|01:27] C:\Program Files\ Creative [02/03/2006|04:11] C:\Program Files\ Design Science [01/01/1998|01:15] C:\Program Files\ Diamond [01/01/1998|12:03] C:\Program Files\ DirectCD [01/01/1998|12:07] C:\Program Files\ DIRECTX [09/08/2001|08:56] C:\Program Files\ EACom [12/25/2007|01:15] C:\Program Files\ eMusic Download Manager [02/13/2002|09:00] C:\Program Files\ Franklin Covey [01/01/1998|12:06] C:\Program Files\ FrontPage Express [10/31/2001|01:41] C:\Program Files\ Hasbro Interactive [01/01/1998|12:21] C:\Program Files\ InstallShield Installation Information [07/21/2007|04:38] C:\Program Files\ Intel [01/01/1998|12:06] C:\Program Files\ Internet Explorer [03/31/2006|11:35] C:\Program Files\ Java [04/04/2005|07:20] C:\Program Files\ Kodak [07/06/2005|10:26] C:\Program Files\ Lavasoft [12/25/2001|08:08] C:\Program Files\ LEGO Media [02/14/2005|03:57] C:\Program Files\ Lexmark 4200 Series [07/11/2008|10:08] C:\Program Files\ Malwarebytes' Anti-Malware [08/24/2007|02:45] C:\Program Files\ McAfee [08/24/2007|02:45] C:\Program Files\ McAfee.com [07/20/2007|11:02] C:\Program Files\ Messenger [01/01/1998|01:50] C:\Program Files\ Microsoft FrontPage [01/01/1998|12:21] C:\Program Files\ Microsoft Hardware [01/01/1998|02:00] C:\Program Files\ Microsoft Money [01/01/1998|01:48] C:\Program Files\ Microsoft Office [02/03/2006|04:14] C:\Program Files\ Microsoft Picture It! 9 [01/01/1998|01:51] C:\Program Files\ Microsoft Visual Studio [01/01/1998|12:33] C:\Program Files\ Movie Maker [07/06/2005|12:44] C:\Program Files\ Mozilla Firefox [02/03/2006|03:54] C:\Program Files\ MSN [02/07/2006|12:25] C:\Program Files\ MSN Games [01/01/1998|12:49] C:\Program Files\ MSN Gaming Zone [02/03/2006|04:07] C:\Program Files\ MSN Messenger [07/21/2007|05:45] C:\Program Files\ MSXML 4.0 [08/29/2008|03:37] C:\Program Files\ MySpace [01/01/1998|12:06] C:\Program Files\ NetMeeting [01/13/2009|08:12] C:\Program Files\ NOS [01/01/1998|12:09] C:\Program Files\ Online Services [01/01/1998|12:06] C:\Program Files\ Outlook Express [02/17/2006|03:27] C:\Program Files\ PartyGaming.net [02/12/2006|11:37] C:\Program Files\ PartyPoker.net [09/26/2008|08:24] C:\Program Files\ PixiePack Codec Pack [01/01/1998|12:06] C:\Program Files\ PLUS! [08/18/2007|09:30] C:\Program Files\ Poker.com [02/13/2006|04:24] C:\Program Files\ PokerStars [11/29/2007|06:22] C:\Program Files\ PokerStars.NET [04/14/2004|02:38] C:\Program Files\ PowerQuest [02/03/2006|04:08] C:\Program Files\ QMgr [08/19/2007|06:18] C:\Program Files\ QuickTime [09/26/2008|08:21] C:\Program Files\ RapidSolution [09/08/2001|06:02] C:\Program Files\ Real [09/23/2008|12:12] C:\Program Files\ RegistryCleanerPro [09/05/2008|11:20] C:\Program Files\ Rhapsody [07/06/2005|11:18] C:\Program Files\ SAV9 [07/06/2005|11:02] C:\Program Files\ Spybot - Search & Destroy [03/30/2008|03:43] C:\Program Files\ support.com [07/06/2005|11:23] C:\Program Files\ Symantec [07/06/2005|11:21] C:\Program Files\ Symantec Client Security [02/12/2006|08:20] C:\Program Files\ TaxCut05 [09/23/2008|10:55] C:\Program Files\ Trend Micro [01/01/1998|01:08] C:\Program Files\ Uninstall Information [07/16/2008|11:36] C:\Program Files\ Unity [11/05/2002|08:19] C:\Program Files\ Viewpoint [01/01/1998|01:53] C:\Program Files\ Web Publish [09/02/2008|06:22] C:\Program Files\ Windows Media Connect 2 [01/01/1998|12:33] C:\Program Files\ Windows Media Player [07/20/2007|11:01] C:\Program Files\ Windows NT [01/01/1998|01:10] C:\Program Files\ WindowsUpdate [07/06/2005|02:21] C:\Program Files\ WinZip [07/20/2007|11:57] C:\Program Files\ xerox [12/07/2005|12:56] C:\Program Files\ Yahoo! --------------------\\ Listing Folders in C:\Program Files\Common Files [01/01/1998|12:32] C:\Program Files\Common Files\ Adobe [11/05/2002|07:33] C:\Program Files\Common Files\ AOL [11/05/2002|08:10] C:\Program Files\Common Files\ aolshare [08/19/2007|06:17] C:\Program Files\Common Files\ Apple [01/01/1998|01:51] C:\Program Files\Common Files\ Designer [01/01/1998|12:21] C:\Program Files\Common Files\ InstallShield [03/31/2006|11:33] C:\Program Files\Common Files\ Java [01/04/2007|05:16] C:\Program Files\Common Files\ Kodak [08/24/2007|02:45] C:\Program Files\Common Files\ McAfee [01/01/1998|12:06] C:\Program Files\Common Files\ Microsoft Shared [04/04/2005|07:20] C:\Program Files\Common Files\ MSSoap [01/01/1998|01:02] C:\Program Files\Common Files\ ODBC [02/17/2006|08:11] C:\Program Files\Common Files\ PokerStars.com [09/08/2001|06:02] C:\Program Files\Common Files\ Real [01/01/1998|12:11] C:\Program Files\Common Files\ SERVICES [07/20/2007|10:47] C:\Program Files\Common Files\ SpeechEngines [03/30/2008|03:42] C:\Program Files\Common Files\ SupportSoft [07/06/2005|11:21] C:\Program Files\Common Files\ Symantec Shared [01/01/1998|12:08] C:\Program Files\Common Files\ SYSTEM [09/24/2008|01:56] C:\Program Files\Common Files\ xing shared --------------------\\ Process ( 38 Processes ) ... OK ! --------------------\\ Searching with S_Lop No Lop folder found ! --------------------\\ Searching for Lop Files - Folders C:\DOCUME~1\AIRHAL~1\Cookies\[email protected][1].txt --------------------\\ Searching within the Registry ..... OK ! --------------------\\ Checking the Hosts file Hosts file CLEAN --------------------\\ Searching for hidden files with Catchme catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-06 21:15:02 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden files: 0 --------------------\\ Searching for other infections C:\WINDOWS\system32\mnVxayxx.ini C:\WINDOWS\system32\mnVxayxx.ini2 C:\WINDOWS\system32\yJikmUvw.ini C:\WINDOWS\system32\yJikmUvw.ini2 ==> VUNDO <== [F:241][D:20]-> C:\DOCUME~1\AIRHAL~1\LOCALS~1\Temp [F:21][D:0]-> C:\DOCUME~1\AIRHAL~1\Cookies [F:7150][D:9]-> C:\DOCUME~1\AIRHAL~1\LOCALS~1\TEMPOR~1\content.IE5 [F:2][D:0]-> C:\Recycled 1 - "C:\Lop SD\LopR_1.txt" - Fri 02/06/2009|21:16 - Option : [1] --------------------\\ Scan completed at 21:16:00 Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop DO NOT run it yet! Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code BOX by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: File:: C:\WINDOWS\system32\mnVxayxx.ini C:\WINDOWS\system32\mnVxayxx.ini2 C:\WINDOWS\system32\yJikmUvw.ini C:\WINDOWS\system32\yJikmUvw.ini2 C:\DOCUME~1\AIRHAL~1\Cookies\[email protected][1].txt 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeThe log is huge so here it comes in three parts: ComboFix 09-02-06.01 - airhalling 2009-02-06 21:57:46.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.378 [GMT -6:00] Running from: c:\documents and settings\airhalling\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\airhalling\Desktop\CFScript.txt AV: McAfee VirusScan *On-access scanning enabled* (Updated) FW: McAfee Personal Firewall *enabled* * Created a new restore point FILE :: c:\docume~1\AIRHAL~1\Cookies\[email protected][1].txt c:\windows\system32\mnVxayxx.ini c:\windows\system32\mnVxayxx.ini2 c:\windows\system32\yJikmUvw.ini c:\windows\system32\yJikmUvw.ini2 . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\AIRHAL~1\Cookies\[email protected][1].txt c:\documents and settings\airhalling\Application Data\FunWebProducts c:\documents and settings\airhalling\Application Data\FunWebProducts\Data\airhalling\avatar.dat c:\documents and settings\airhalling\Application Data\Google\T-Scan c:\documents and settings\airhalling\Application Data\Google\T-Scan\n.gif c:\documents and settings\airhalling\Application Data\Google\T-Scan\t.gif c:\documents and settings\airhalling\Application Data\Google\T-Scan\y.gif c:\program files\A360 c:\program files\A360\av360.exe.tmp c:\program files\Internet Explorer\msimg32.dll c:\windows\start.exe c:\windows\system32\mnVxayxx.ini c:\windows\system32\mnVxayxx.ini2 c:\windows\system32\yJikmUvw.ini c:\windows\system32\yJikmUvw.ini2 c:\windows\Tasks\odwguswb.job c:\windows\Web\default.htt c:\windows\wiaserviv.log Infected copy of c:\windows\system32\winlogon.exe was found and disinfected Restored copy from - c:\windows\$NtServicePackUninstall$\winlogon.exe . ((((((((((((((((((((((((( Files Created from 2009-01-07 to 2009-02-07 ))))))))))))))))))))))))))))))) . 2009-02-06 21:11 . 2009-02-06 21:11 d-------- C:\Lop SD 2009-02-05 16:42 . 2009-02-05 16:42 d-------- C:\rsit 2009-02-04 00:52 . 2009-02-04 00:52 36,398 --a------ C:\EasyShare.dmp 2009-01-13 20:12 . 2009-01-13 20:12 d-------- c:\program files\NOS 2009-01-13 20:12 . 2009-01-13 20:12 d-------- c:\documents and settings\All Users\Application Data\NOS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-01 17:22 34 ----a-w c:\documents and settings\airhalling\jagex_runescape_preferences.dat 2008-12-13 06:40 3,593,216 ------w c:\windows\SYSTEM32\dllcache\mshtml.dll 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys 2008-12-11 10:57 333,952 ------w c:\windows\SYSTEM32\dllcache\srv.sys 2008-11-29 22:39 295,424 ----a-w c:\windows\SYSTEM32\termsrv.dll 2008-08-29 21:38 34,928 ----a-w c:\documents and settings\airhalling\Application Data\GDIPFONTCACHEV1.DAT 2008-07-12 03:11 61,224 ----a-w c:\documents and settings\airhalling\GoToAssistDownloadHelper.exe 2008-01-13 17:08 774,144 ----a-w c:\program files\RngInterstitial.dll 2006-03-22 01:04 75 ----a-w c:\documents and settings\airhalling\Application Data\fusioncache.dat 1998-01-01 07:01 271 --sh--w c:\program files\desktop.ini 1998-01-01 07:01 23,357 ---h--w c:\program files\folder.htt 2008-08-12 05:09 32,768 --sha-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081120080812\index.dat . ------- Sigcheck -------------- Sigcheck ------- 2008-11-29 16:39 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\SYSTEM32\termsrv.dll 2006-02-28 12:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll 2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2005-06-14 6856704] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-24 185872] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968] c:\documents and settings\All Users\Start Menu\Programs\Startup\ America Online 8.0 Tray Icon.lnk - c:\program files\America Online 8.0\aoltray.exe [2002-11-05 36939] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 757760] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= c:\documents and settings\airhalling\My Documents\My Pictures\Yosemite.jpg FriendlyName= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"= ctwdm32.dll "VIDC.VDOM"= vdowave.drv [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "IntelSMAPL"=IntelCdx.exe "PCHealth"=c:\windows\PCHealth\Support\PCHSchd.exe -s "RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER "FaxCenterServer4_in_1"="c:\program files\Lexmark 4200 Series\Fax\fm3032.exe" /s ""= "QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime "KodakCCS"=c:\windows\System32\Drivers\KodakCCS.exe "tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys] "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "AudioHQ"=c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE "CTAVTray"=c:\program files\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE "POINTER"=point32.exe "Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" "LexStart"=lexstart.exe "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" "vptray"=c:\progra~1\SYMANT~1\SYMANT~2\VPTRAY.EXE "LoadQM"=loadqm.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-] ""= "StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"= S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-13 33752] S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\SYSTEM32\DRIVERS\NtApm.sys [2001-08-17 9344] S3 S3SAVAGE4M;S3SAVAGE4M;c:\windows\SYSTEM32\DRIVERS\s3sav4m.sys [2007-07-20 77824] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "c:\program files\Outlook Express\setup50.exe" /APP:OE /CALLER:WIN9X /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "c:\program files\Outlook Express\setup50.exe" /APP:OE /CALLER:WIN9X /user /install "c:\program files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}] "c:\program files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}] "c:\program files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install "c:\program files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}] c:\program files\PixiePack Codec Pack\InstallerHelper.exe . Contents of the 'Scheduled Tasks' folder 2009-02-06 c:\windows\Tasks\PCHealth Scheduler for Data Collection.job - c:\windows\PCHEALTH\SUPPORT\PCHSCHD.EXE [] 2009-02-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] 2009-01-15 c:\windows\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] . - - - - ORPHANS REMOVED - - - -- - - - ORPHANS REMOVED - - - - ShellIconOverlayIdentifiers-{7D688A77-C613-11D0-999B-00C04FD655E1} - (no file) . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = iexplore IE: &Search IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe Trusted Zone: internet Trusted Zone: mcafee.com DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\airhalling\Application Data\Mozilla\Firefox\Profiles\rweu1nvh.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-offrhap&p= FF - prefs.js: browser.search.selectedEngine - Ask FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis FF - prefs.js: keyword.URL - hxxp://errorpage.comcast.net/?cat=Web&con=dc&safe=on&q= FF - prefs.js: network.proxy.ftp - :0 FF - prefs.js: network.proxy.gopher - :0 FF - prefs.js: network.proxy.http - :0 FF - prefs.js: network.proxy.socks - :0 FF - prefs.js: network.proxy.ssl - :0 FF - prefs.js: network.proxy.type - 1 FF - component: c:\program files\RapidSolution\Tunebite\plugins\GeckoBased\[email protected]\components\TB_WebRipFFPlugin.dll FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\RapidSolution\Tunebite\plugins\GeckoBased\[email protected]\plugins\np_TB_OgloPlugin.dll FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-06 22:03:27 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\SYSTEM32\LEXBCES.EXE c:\windows\SYSTEM32\LEXPPS.EXE c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE c:\program files\MCAFEE\MSC\MCMSCSVC.EXE c:\program files\COMMON FILES\MCAFEE\MNA\MCNASVC.EXE c:\program files\COMMON FILES\MCAFEE\MCPROXY\MCPROXY.EXE c:\program files\MCAFEE\VIRUSSCAN\MCSHIELD.EXE c:\program files\MCAFEE\MPF\MPFSRV.EXE c:\progra~1\mcafee\msc\mcuimgr.exe . ************************************************************************** . Completion time: 2009-02-06 22:05:51 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-07 04:05:44 Pre-Run: 61,045,899,264 bytes free Post-Run: 61,254,008,832 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 233 --- E O F --- 2009-01-15 09:01:46 |
|
| 517. |
Solve : Five Most popular AV Freeware or Shareware out in the wild.? |
|
Answer» FIVE Most popular AV Freeware or Shareware our in the wild. You may not agree with the list, but of the list, would you recommend one to a NEW user? If you think some should not be on this list, tell us why I am curious to see how NOD32 is RATED by users here. http://www.eset.com/ AVG Anti-Virus FW/SW Avast Antivirus FW/SW Avira AntiVir FW/SW I usually only recommend free but if I were to go for something PAID it would be either BitDefender or ESET NOD32. |
|
| 518. |
Solve : quarenteened files? |
|
Answer» simple question.... lol |
|
| 519. |
Solve : need help have the log files? |
|
Answer» I keep GETTING the same Virus in my Quarantine "Mal\Behav-304". I'm using Sophos Anti-Virus, It's up to date as is my Java. I followed the advice of this forum, and went through the steps. I've attached the log files from SuperAntispyware, Malwarebytes' Anti-Malware and HIJACKTHIS. Please help if you can. |
|
| 520. |
Solve : AVG 7.5 or 8?? |
|
Answer» Hi guys. I was on here a while back and there was a debate weather or not VERSION 8 was stable, so I took some ADVICE and stuck with the 7.5 version. Is version 8 stable now?I used AVG for years until V8, but that was so much trouble that I switched to AVIRA and am well PLEASED with it.As of March 1st AVG 7.5 is no longer supported. http://freeforum.avg.com/read.php?1,136697,backpage=,sv= |
|
| 521. |
Solve : Hijack this log == Possible infection?? |
|
Answer» AVG caught two trojans as they attempted to enter my system but I fear the damage may be done as I continue to get a dll: missing file error message and my computer will go into a continuous reboot on its own.
Evil Fantasy, I neglected to include some information in my original post. The Trojan Horse problem began on Thursday and rendered IE virtually inoperable. My system shut itself down and when it rebooted itself, the error message was "to help protect your computer, Windows has closed this program. Program name: WMI by Microsoft Corporation." I closed the message and the system automatically reboot itself over and over again. I also get a dll error message saying there is a "missing entry." I immediately tried to run Malware (which I had on my system) but discovered that the executable file was gone -- disappeared. Over the last two days I have attempted to reinstall Malware, but IE will not cooperate. In fact, I'm online now in SAFE mode. Twice, IE actually opened the download page for Malware (in normal mode) and I was able to start the download but during the process, the download stopped and the system rebooted itself. I then attempted to download Firefox (to circumvent the IE problem) with the same results -- after several attempts, I finally got to the download page, was able to start the download and it automatically stopped and system rebooted before Firefox was downloaded. How do I proceed? Before you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your DESKTOP or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode. Download SDFix by AndyManchesta and save it to your desktop. When using this tool, you must use the Administrator's account or an account with Administrative rights * Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box OPENS, click on the Run button. * A window will now open showing SDFix being extracted into the C:\SDFix folder. * Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions. * DO NOT use it just yet. Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". When your computer has started in safe mode, and you see the desktop, close all open Windows. * Click on the Start button, click on the Run menu option, and type the following text from the Code Box into the Open: field then click the OK button. Code: [Select]C:\SDFix\RunThis.bat * SDFix window will open containing some brief info and a disclaimer on the use of the tool. * Type Y on your keyboard and then press Enter to begin the cleanup process. * It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. * Copy and paste the contents of the results file Report.txt in your next reply. |
|
| 522. |
Solve : Yet Another? |
|
Answer» Dell Deminsion 4800 I (as well as Microsoft, McAfee and Symantec) recommend that you DO NOT have more than one antivirus product installed and running on your computer at a time.Listen to evilfantasy on this one. In the anti-malware community, this is one of our biggest rules.ok i removed panda. but after running a new hjt its still on that list Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:15:47 PM, on 8/15/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\WebProxy.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\program files\panda software\panda platinum 2006 internet security\firewall\PNMSRV.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LxrJD31s.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Media Player\WMPNetwk.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\PROGRA~1\MICROS~3\rapimgr.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Morpheus\Morpheus.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ftp://dandin1.no-ip.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-21-2000478354-515967899-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Owner') O4 - HKUS\S-1-5-21-2000478354-515967899-839522115-1003\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Owner') O4 - HKUS\S-1-5-21-2000478354-515967899-839522115-1003\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" (User 'Owner') O4 - HKUS\S-1-5-21-2000478354-515967899-839522115-1004\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?') O4 - HKUS\S-1-5-21-2000478354-515967899-839522115-1005\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?') O4 - HKUS\S-1-5-21-2000478354-515967899-839522115-1008\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'josh') O4 - HKUS\S-1-5-21-2000478354-515967899-839522115-1009\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Evelyn') O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - S-1-5-21-2000478354-515967899-839522115-1004 Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe (User '?') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - http://www.solidworks.com/plugins/edrawings/download.cfm?Release=REL O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.hotmail.msn.com/resources/MsnPUpld.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = glover O17 - HKLM\Software\..\Telephony: DomainName = glover O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = glover O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = glover O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll, O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- End of file - 12176 bytes Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there) - R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ftp://dandin1.no-ip.com/ - O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) - O4 - S-1-5-21-2000478354-515967899-839522115-1004 Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe (User '?') - O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe Important: Close all windows except for HijackThis and then click Fix checked. Exit HijackThis. ---------- Now, go to Start > Run, and copy/paste the following into the Open box: sc stop PavPrSrv Now click OK Do the same for: sc delete PavPrSrv Now click OK ---------- Locate and delete this folder C:\Program Files\Panda Software ---------- Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. First install the new Sun Java Runtime Environment Be sure to close all browser windows before beginning the install. Remove the old version(s)
---------- Download and install SUPERAntiSpyware Free for Home Users
Make sure everything found has a check next to it and press Next Then click Finish It is possible that the Superantispyware asks to reboot the PC in order to delete some files. Locate the SuperAntiSpyware log as follows:
Post the SuperAntiSpyware log in your reply.I ran a Scan on of hjt, and could not find O4 - S-1-5-21-2000478354-515967899-839522115-1004 Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe (User '?') Then after doing these steps Now, go to Start > Run, and copy/paste the following into the Open box: sc stop PavPrSrv Now click OK Do the same for: sc delete PavPrSrv Now click OK ================== I ran into this problem when trying to delete the Panda Software folder Cannot delete scoffset.bin.incr : It is being used in another program i think this may have been caused because of another account logged on... First, open the folder and see if there is an uninstaller in there. If not go to this post and scroll down to the Panda Antivirus Uninstall Tools: and try running the Panda Version 2007 Uninstaller.exe.ok doneGood. Run the SUPERAntiSpyware and also after it is complete and the computer restarted run a new HijackThis scan and post that log also.And update the Java.when are you going to be actively posting tmrw?I'm usually free to start working through my email between 10am and noon (central time), usually closer to 10am.SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 08/17/2008 at 03:47 PM Application Version : 4.15.1000 Core Rules Database Version : 3538 Trace Rules Database Version: 1527 Scan type : Quick Scan Total Scan Time : 00:27:08 Memory items scanned : 463 Memory threats detected : 0 Registry items scanned : 437 Registry threats detected : 0 File items scanned : 5094 File threats detected : 73 Adware.Tracking Cookie C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][2].txt C:\Documents and Settings\Jereme.GLOVER\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][2].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][2].txt C:\Documents and Settings\Josef\Cookies\[email protected][2].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][2].txt C:\Documents and Settings\Josef\Cookies\[email protected][2].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][2].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][2].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][2].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][2].txt C:\Documents and Settings\Josef\Cookies\[email protected][2].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][2].txt C:\Documents and Settings\Josef\Cookies\[email protected][2].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Cookies\[email protected][1].txt C:\Documents and Settings\Josef\Local Settings\Temp\Cookies\[email protected][1].txt .adopt.euroclick.com [ C:\Documents and Settings\josh.OWNER-22B6B094C\Application Data\Mozilla\Firefox\Profiles\h0pz4qib.default\cookies.txt ] .adopt.euroclick.com [ C:\Documents and Settings\josh.OWNER-22B6B094C\Application Data\Mozilla\Firefox\Profiles\h0pz4qib.default\cookies.txt ] .adopt.euroclick.com [ C:\Documents and Settings\josh.OWNER-22B6B094C\Application Data\Mozilla\Firefox\Profiles\h0pz4qib.default\cookies.txt ] .adopt.euroclick.com [ C:\Documents and Settings\josh.OWNER-22B6B094C\Application Data\Mozilla\Firefox\Profiles\h0pz4qib.default\cookies.txt ] adopt.euroclick.com [ C:\Documents and Settings\josh.OWNER-22B6B094C\Application Data\Mozilla\Firefox\Profiles\h0pz4qib.default\cookies.txt ] .kontera.com [ C:\Documents and Settings\josh.OWNER-22B6B094C\Application Data\Mozilla\Firefox\Profiles\h0pz4qib.default\cookies.txt ] .adbrite.com [ C:\Documents and Settings\josh.OWNER-22B6B094C\Application Data\Mozilla\Firefox\Profiles\h0pz4qib.default\cookies.txt ] ads.adbrite.com [ C:\Documents and Settings\josh.OWNER-22B6B094C\Application Data\Mozilla\Firefox\Profiles\h0pz4qib.default\cookies.txt ] ads.adbrite.com [ C:\Documents and Settings\josh.OWNER-22B6B094C\Application Data\Mozilla\Firefox\Profiles\h0pz4qib.default\cookies.txt ] .adbrite.com [ C:\Documents and Settings\josh.OWNER-22B6B094C\Application Data\Mozilla\Firefox\Profiles\h0pz4qib.default\cookies.txt ] .kontera.com [ C:\Documents and Settings\josh.OWNER-22B6B094C\Application Data\Mozilla\Firefox\Profiles\h0pz4qib.default\cookies.txt ] ads.revsci.net [ C:\Documents and Settings\josh.OWNER-22B6B094C\Application Data\Mozilla\Firefox\Profiles\h0pz4qib.default\cookies.txt ] .imrworldwide.com [ C:\Documents and Settings\josh.OWNER-22B6B094C\Application Data\Mozilla\Profiles\default\aaavofmm.slt\cookies.txt ] .imrworldwide.com [ C:\Documents and Settings\josh.OWNER-22B6B094C\Application Data\Mozilla\Profiles\default\aaavofmm.slt\cookies.txt ] Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:03:52 PM, on 8/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LxrJD31s.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\LimeWire\LimeWire.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - http://www.solidworks.com/plugins/edrawings/download.cfm?Release=REL O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.hotmail.msn.com/resources/MsnPUpld.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = glover O17 - HKLM\Software\..\Telephony: DomainName = glover O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = glover O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = glover O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll, O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- End of file - 9923 bytes |
|
| 523. |
Solve : LOGS- SAS, Malwarebytes' anti-malware, and HijackThis.? |
|
Answer» please help me with this problem...... here are the logs you asked for I hope they help. |
|
| 524. |
Solve : I believe my MSN messenger account has been hijacked and i need help !? |
|
Answer» I was chatting to a friend on MSN messenger when it abruptly closed and I RECIEVED a message stating that I had logged onto another computer. The friend I was chatting to recieved a message from whom she believed was 'me' telling her to FOLLOW a link to another webpage, which she did, giving out her username and password in the process. I have since found out that some of my other friends have recieved messages from 'me' with links to 'bad' sites. I shudder to think what sites they are being sent to and what damage it may be causing them, and i feel very guilty about the whole thing. I have told them I would try and help in finding a cure for thier infected PC's, however, none of us have any real PC skills. I found this forum and read loads about similar problems, but i haven't done much as 'EvilFantasy' stated each PC is different, so not to follow those particular remedies. I have followed the initial pre-admin stuff, including updating Java, and the three scan and clean programs, and I have the log files ready for persusal, should anyone be willing to offer to help my friends and I. My system is a Dell Dimension 9200 CORE 2 CPU 6600 2.4Ghz with 2048Mb RAM and the OS is MS XP Pro SP3, it is a couple of years old but has rarely been used, it has some updates to IE7, MS Works and ADOBE flash player recently, as well as the auto windows updates, (mainly security). I was running BitDefnder Total Security 2008 at the time of the hack, but I have since disabled it as i no longer have any trust in it. I am currently using McAffe, however, I have downloaded and used the tools recommended by 'EvilFantasy'. Can somebody have a look at my three logs and offer me some advice please ?I think I know what you are talking about. Also, if you would post the logs here, our Malware Specialists can have a look at them. The page with those three tools also has instructions on how to post the logs. Please follow those steps and we'll help you out. You may also want to change your password and perhaps even contact MSN, just as a precaution. |
|
| 525. |
Solve : not sure about antivirus programs? |
|
Answer» -------------------------------------------------------------------------------- |
|
| 526. |
Solve : add/remove programs from control panal...to evilfantasy from DKC? |
|
Answer» from DKC to Evilfantasy...had no problems with these..... added Eset log |
|
| 527. |
Solve : Intrusion Prevention Suggestions? |
|
Answer» Hello, |
|
| 528. |
Solve : connection issues wondering if it could be related to virus -hijackthis included? |
|
Answer» Hi, first I would like to say thanks to anyone who is taking a look at this and offering help. I have always found wonderful help on the forums and I thoroughly appreciate it. I don't know if I need to be posting here or in the networking forum but I am including a hijack this log so I will post it here for starters. I downloaded a .rar file the other day and my computer worked fine for a few days after. Now I'm having trouble connecting to the internet. It works fine in the morning before I leave for work and it's currently working now that I'm back home but it is usually out and usually stays out most of the time. I talked to tech support last night through my cable company (I connect through a cable ambit modem, I have no other connections, routers, etc) and we did ipconfig and he told me that my ip was invalid (it was a 169 number). That has since changed but my connection still isn't reliable. I am wondering if this could be a fault on their end or if I could've possibly ended up with a virus? I read something about a network adapter could be bad or something could be infecting my DHCP but both terms are greek to me. My cable company has also been experiencing issues, could this CHANGE my ip to an invalid ip and then switch it back over or is the problem deeper than that? Also, if it helps my modem is almost four years old and when this problem occurs all lights (power, usb, recv, sync and ready are still lighting up and blinking but the SEND light will barely have any blinking signal if at all). Sorry for rambling, I appreciate any and all help. Here is the hijackthis report. |
|
| 529. |
Solve : What is the best antivirus?? |
|
Answer» I would like to ASK, what is the best antivirus in Windows Vista HOME BASIC? I'm currently using Avira antivirus.... |
|
| 530. |
Solve : Is this legit?? |
|
Answer» New tower..gave to me by a friend...there is a small icon that takes you to this site,the icon tells you windows may be at risk,then something about not being geniuine and not getting updates.
http://www.microsoft.com/genuine/default.aspx?displaylang=en&PartnerID=4A network error or timeout has occurred while processing your request. please try again later *sigh* |
|
| 531. |
Solve : malware! please help? |
|
Answer» everytime my computer comes on a message come on saying 16 bit MS-DOS, saying illegal activity is going on, also 2 black windows come up as well, then i have to click either ignore or close. ive done all the logs and stuff, so if someone could please just have a look at them to tell me how to get rid of it SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 10/23/2008 at 12:18 PM Application Version : 4.21.1004 Core Rules Database Version : 3555 Trace Rules Database Version: 1543 Scan type : Quick Scan Total Scan Time : 00:12:57 Memory items scanned : 495 Memory threats detected : 0 REGISTRY items scanned : 415 Registry threats detected : 2 File items scanned : 17751 File threats detected : 3 Trojan.Downloader-Gen [Microsoft Task Scheduler] C:\WINDOWS\SYSTEM32\DLHA\MSTASK32.COM C:\WINDOWS\SYSTEM32\DLHA\MSTASK32.COM [Microsoft Task Scheduler] C:\WINDOWS\SYSTEM32\DLHA\MSTASK32.COM Adware.Tracking Cookie C:\Documents and Settings\Cecelia\Cookies\[email protected][2].txt C:\Documents and Settings\Cecelia\Cookies\[email protected][1].txt Malwarebytes' Anti-Malware 1.30 Database version: 1308 Windows 5.1.2600 Service Pack 2 23/10/2008 15:02:57 mbam-log-2008-10-23 (15-02-57).txt Scan type: Quick Scan Objects scanned: 47814 Time ELAPSED: 3 minute(s), 40 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 1 Registry Data Items Infected: 1 Folders Infected: 1 Files Infected: 14 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\videoegg.com/publisher,version=0.2.0 (Adware.VideoEgg) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\videoegg.com/updater,version=0.2.0 (Adware.VideoEgg) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AcerVGA Engine Drivers V1.2 (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. Folders Infected: C:\WINDOWS\system32\nScan (Backdoor.Bot) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\nScan\ecls.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nScan\ekrn.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nScan\ekrnAmon.dll (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nScan\ekrnEmon.dll (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nScan\ekrnEpfw.dll (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nScan\ekrnScan.dll (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nScan\em000_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nScan\em001_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nScan\em002_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nScan\em003_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nScan\em004_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nScan\em005_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nScan\em006_32.dat (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nScan\mod_comp.dat (Backdoor.Bot) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:15:04, on 23/10/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\Kontiki\KService.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\Tvs\TvsTray.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe C:\WINDOWS\system32\ZoomingHook.exe C:\WINDOWS\system32\TCtrlIOHook.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\Program Files\Kontiki\KHost.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Veoh Networks\Veoh\VeohClient.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\iTunes\iTunes.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj CLASS - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\RunOnce: [*Prauge DVDRam Version 2.3A*] C:\WINDOWS\system32\spfx\hypinit32.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all O4 - HKCU\..\Run: [Microsoft Windows Visual V2.0] C:\WINDOWS\msiutil.exe O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKCU\..\Run: [Legacy VGA Drivers V1.0] C:\WINDOWS\certproc32.exe O4 - HKCU\..\Run: [Sony DVDRam Version 1.8B] C:\WINDOWS\uiengine32.exe O4 - HKCU\..\Run: [Prauge DVDRam Version 2.3A] C:\WINDOWS\system32\spfx\hypinit32.exe O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem O4 - HKCU\..\RunOnce: [*Prauge DVDRam Version 2.3A*] C:\WINDOWS\system32\spfx\hypinit32.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templates/btmailcontrol013.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol028.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 10265 bytes thanks Looking over your log it SEEMS you don't have any antivirus software. Before we continue download and install a free antivirus. Remember to only install one antivirus! 1) Avast! Home Free Edition 2) AVG Free Edition 3) Avira AntiVir Personal 4) Comodo Antivirus 5) PC Tools AntiVirus Free Edition It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time. Once installed make sure it is updated and then run a FULL system scan and remove/quarantine anything found. After that, please post a new HijackThis log. |
|
| 532. |
Solve : Not again!!!!!!!!!? |
|
Answer» Hey Evilfantasy!
[Saving space - attachment deleted by admin]Second One: info.txt logfile of random's system information tool 1.04 2008-10-24 12:02:52 ======Uninstall list====== -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Ask Toolbar-->rundll32 C:\PROGRA~1\AskSBar\bar\1.bin\AskSBar.dll,O AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe" C-Media 3D Audio-->C:\WINDOWS\CMIUnInstall.exe COMODO Firewall Pro-->C:\Program Files\COMODO\Firewall\cfpconfg.exe -u COMODO SafeSurf-->C:\Program Files\COMODO\SafeSurf\cssconfg.exe -u EVEREST Home Edition v2.20-->"C:\Program Files\Lavalys\EVEREST Home Edition\unins000.exe" HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Intel(R) Extreme Graphics Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562 Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Mozilla Firefox (3.0.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe MSN Messenger 7.5-->MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5} OpenOffice.org Installer 1.0-->MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9} RTLSetup-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\SETUP.EXE" -l0x9 REMOVE Sify Broadband 3.22-->"C:\Program Files\Sify Broadband\unins000.exe" SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} Trillian-->C:\Program Files\Trillian\trillian.exe /uninstall Yahoo! Install Manager-->C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\unyt.exe ======Security center information====== AV: AVG Anti-Virus Free FW: COMODO Firewall Pro ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem "windir"=%SystemRoot% "OS"=Windows_NT "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_LEVEL"=15 "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 1, GenuineIntel "PROCESSOR_REVISION"=0401 "NUMBER_OF_PROCESSORS"=1 "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP -----------------EOF----------------- Download OTMoveIt2 by OldTimer and save it to your Desktop. Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator. 1. Double-click OTMoveIt2.exe to run it. 2. Copy the lines in the codebox below. Code: [Select][kill explorer] C:\WINDOWS\SET7.tmp C:\WINDOWS\SET3.tmp EmptyTemp [start explorer] 3. Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste 4. Click the red Moveit! button. 5. Copy everything in the Results window (under the green bar) and paste it in your next reply. 6. Close OTMoveIt2 Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in ORDER to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.Explorer killed successfully C:\WINDOWS\SET7.tmp moved successfully. C:\WINDOWS\SET3.tmp moved successfully. < EmptyTemp > File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_1tgyJ8uCP8YQElCdItSc scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF9CFC.tmp scheduled to be deleted on reboot. Temp folders emptied. IE temp folders emptied. Explorer started successfully OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10252008_091705 Files moved on Reboot... File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_1tgyJ8uCP8YQElCdItSc not found! File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF9CFC.tmp not found! 1. Double click OTMoveIt2.exe to launch it. If using Vista Right-Click OTMoveIt and choose Run As Administrator 2. Click on the CleanUp! button. 3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
---------- Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:
'Index of ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe/ Up to higher level directory Name Size Last Modified What shall I do?Click here ftp://ftp.drweb.com/pub/drweb/cureit/launch.exeIts clicky here but It wasn't clicky on that page, and when I click on the link you gave me it again sends me to the same page, and on that page it is not clicky.Try here http://majorgeeks.com/downloadget.php?id=4783&file=1&evp=ef9669e4f16e6e75d95abcde8f88163d |
|
| 533. |
Solve : .DLL issue? |
|
Answer» SUPERAntiSpyware SCAN Log |
|
| 534. |
Solve : Re: Computer Wont Start in Normal mode, only Safe Mode. Spyware infection. Help? |
|
Answer» Hello, |
|
| 535. |
Solve : Viruses and Malware? |
|
Answer» After 10 years on the net, I guess it is about time it happened. I went to uninstall something last night and my computer went haywire. Suddenly telling me I had viruses, spayware, malware and all sorts of other stuff. The whole XP Security thing popped up (never seen it before) and I'm freaking out. I can't get online, my AVG was shut down, SpyBot shut down..... even changed my homepage and wallpaper. I did a search online and found evilfantasy's (i think that was their name) post about how to download and run SUPERAntiSpyware, HiJack and other things. Thankfully I have another pc so I had download stuff on that pc.... save to flash....move to laptop... install. Back and forth. FINALLY.... I can get online, no more "you are infected" WINDOWS, my wallpaper is back.
One more thing... As a standard procedure, we like to have users clear out their System Restore files and start over with a clean slate. This is to remove any infected files that have been backed up by Windows. Please follow these steps... 1. Go to Start > Programs > Accessories > System Tools > System Restore 2. Click on System Restore Settings. 3. Check Turn off System Restore and click OK. 4. Restart your computer. 5. Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK. 6. Create a new restore point and close the program. System Restore will now be active again. If you would like to learn more about System Restore, go here. And there you go! Follow these steps and you'll be just a bit safer. If you have anymore questions, you are more than welcome to ask.Thank you ever so much! I've done it all.....well...not the firewall but I'm on my way to get one of those as well. I sure do APPRECIATE the time you have put into this thread. May you have great Halloween weekend!I'm glad I was able to help. Oh, and there's one more thing! Sorry, but I forgot to have you uninstall ComboFix. Click on your Start button and click on Run, then type combofix /u (note the space) and click OK. It's generally best to remove the program until you need it again. I plan on having a great weekend and I hope you will as well. |
|
| 536. |
Solve : Need help... can anyone take a look at this logs?? |
|
Answer» http://www.savefile.com/files/1829805 http://www.savefile.com/files/1829806 http://www.savefile.com/files/1829807There is no need to upload the files to SaveFile, you can attach them here or just copy/paste them into the replies. What problems are you having?... Quote from: evilfantasy on October 09, 2008, 11:03:26 AM There is no need to upload the files to SaveFile, you can attach them here or just copy/paste them into the replies. I tried to attach them here but the files were too large... and according to the instruction I am to upload it on savefile and copy paste the links at my post. I don't what the problem is exactly... I just asked on the online chat why is it that when I try to open my drives, it won't open and the open with window shows up. And I believe that was Carbon who told me that it was caused by a virus and instucted me to follow what was in the malware removal stuff and post it at the forums. So there.... HOPE you can help me... Run MalwareBytes again and this time have it fix everything it finds. It all says No action taken. Copy and paste the log in your next reply and also LET me know if the problem still exists. Quote from: evilfantasy on October 10, 2008, 11:41:52 AM Run MalwareBytes again and this time have it fix everything it finds. It all says No action taken. I've already run the MalwareBytes. here's the log. Malwarebytes' Anti-Malware 1.28 Database version: 1242 Windows 5.1.2600 Service Pack 2 10/14/2008 6:11:31 PM mbam-log-2008-10-14 (18-11-31).txt Scan type: Quick Scan Objects scanned: 47849 Time elapsed: 11 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\iehlprobj.iehlprobj.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ce7c3cf0-4b15-11d1-abed-709549c10000} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Quote from: evilfantasy on October 10, 2008, 11:41:52 AM Quote from: evilfantasy on October 14, 2008, 10:06:20 AM Quote from: evilfantasy on October 10, 2008, 11:41:52 AM I already did copy and paste the LOGS... and I check my drives still can't open them... the open with window still comes up. Download Deckard's Association File Tool (DAFT) and save it to your desktop.
Download Deckard's Association File Tool (DAFT) and save it to your desktop. I already did the instructions above. When I clicked scan, it said "All associations okay!"Download to your desktop FixPolicies.exe, a self-extracting ZIP archive from HERE. Double-click FixPolicies.exe. Click the Install button on the bottom toolbar of the box that will open. The program will create a new Folder called FixPolicies. Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd A black box will briefly appear and then close. Restart the computer so the changes can take effect. How about now?the Link is not working... http://rapidshare.com/files/154446597/FixPolicies.exe.html Quote from: evilfantasy on October 15, 2008, 08:25:25 PM
Already done... but still drives cannot be opened, the "Open with" window shows up instead.I have another question... after I have restarted... some ghostly looking files appeared in my external drive. these were not here before. I guess, I forgot to leave this info out, that my external drive before also had the same problem, that I can't open it directly but the "Open with" window keeps showing. What I have done is format it. now it can be opened. I was supposed to put the image there, but didn't do it right . Here it is.... [Saving space - attachment deleted by admin] |
|
| 537. |
Solve : best trojan remover program? |
|
Answer» Hi |
|
| 538. |
Solve : My logs from todays virus infection? |
|
Answer» Hi
Windows XP System Restore Guide or Windows Vista System Restore Guide . ---------- Use the Secunia Software Inspector to check for out of date software.
---------- Go to Microsoft Windows Update and get all critical updates. ---------- Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC. Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript To prevent unknown applications from being installed on your computer install WinPatrol 2008 * Using Winpatrol to protect your computer from malicious software I suggest using SiteAdvisor. SiteAdvisor rates sites on business PRACTICES and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth. |
|
| 539. |
Solve : files invisible in pen drive??? |
|
Answer» hello all , by the way , even if the files are hidden , i can use windows command (xcopy) to copy any file if i know its name on the drive..Hmmm....And the copied files are no longer hidden? |
|
| 540. |
Solve : Mcafee Site Adviser, Not working.? |
|
Answer» My mcafee site adviser quit working I UNINSTALLED it, reinstalled but no luck. Its SHOWING up In my add and REMOVE programs But not working.A program? Or Firefox addon?OK, I went to mcafee support site, Had to uninstall and reinstall Internet Explorer 7 than enable add ons for mcafee site adviser.I, too, was experiencing problems with this particular add-on, as well, but in FF. In my issue, the problem resolved itself...MUST've been a problem on McAfee's end. Glad you have it working...That program has been nothing but a pain lately. |
|
| 541. |
Solve : what in the world is this??? |
|
Answer» i had a file like this before but theres another on my computer before but when i removed a trojan called oxo.exe it seemed to go away well a file like this is back and it keeps popping up to allow or block for my firewall (comodo) i dont think i ever installed anything like this before either the file name is HDVIDEOCODEC_VER1.50065006500-3652CD4E.pf (i searched for the file) located in c:/windows/prefetch
Now click Empty Selected When you get the Done Cleaning message, click OK Firefox users click Firefox on the menu bar Click on Select All, then click Empty Note: If you want to keep your saved Passwords click No on the prompt. Opera users click Opera on the menu bar Click on Select All, then click Empty Note: If you want to keep your saved Passwords click No on the prompt Important: Restart the computer before continuing. Note that your system will run slower for a reboot or two after having used this tool so don't panic ---------- Run the Kaspersky Online Scanner In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.
There is no option to clean/disinfect, however, we need to analyze the information on the report. To obtain the report: Click on: Save Report As
Copy and paste the Kaspersky Online Scanner Report in your next reply. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the ZOOM tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.AHHH i think its growing!! it asked me to block/allow HDVideoCodec_ver1.500650065006500650065 0065006500650065006.0 ill get back to on those thingsThen you need to do the malware removal guide. working on itI have the same thing! I got it when I was at computeruler's house last weekend. I think something is getting through his internet. Just a thought...kasperskey found nothingThat's hard to believe for some reason. No log? Are you working on the malware removal steps?the hjt maleware antimaleware bytes and that stuff??? ok ill do itJust the MALWAREBYTES and HJT will be OK.ok well i ran super anyways that found nothing heres hjt Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:56:21 PM, on 10/3/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running PROCESSES: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\COMODO\Firewall\cmdagent.exe C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe C:\WINDOWS\System32\snmp.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\GIGABYTE\ET6\GUI.exe C:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe C:\Program Files\COMODO\Firewall\cfp.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\WinFast\WFTVFM\WFWIZ.exe C:\Program Files\Zune\ZuneLauncher.exe C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\[email protected]\[email protected]\[email protected] C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe C:\PROGRA~1\Gomez\GOMEZP~1\jre\bin\java.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Kevin\Application Data\[email protected]\FahCore_82.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Kevin\Desktop\CoreTemp\Core Temp.exe C:\Program Files\GameTap\bin\Release\gametap.exe X:\Program Files\Eidos\Just Cause\JustCause.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [EasyTuneVI] C:\Program Files\GIGABYTE\ET6\ETcall.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [GBTUpd] C:\Program Files\GIGABYTE\GBTUpd\PreRun.exe O4 - HKLM\..\Run: [8169Diag] C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe /hw O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd i see that i have that stupid veiwpoint again and mbam aready found something but thats still goingI need HJT after MBAM. Doesn't do any GOOD to run it before. ooo ok almost done with mbam remove the things it finds rightYes and post the log. I need to see what all I might be looking for in the others logs we "might" need.heres the mbam Malwarebytes' Anti-Malware 1.28 Database version: 1226 Windows 5.1.2600 Service Pack 3 10/3/2008 10:26:29 PM mbam-log-2008-10-03 (22-26-29).txt Scan type: Full Scan (C:\|) Objects scanned: 123947 Time elapsed: 30 minute(s), 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Run (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{212BC3FE-765D-40F4-AF58-C5B19958BAAD}\RP44\A0012479.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. and heres the new hjt Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:37:32 PM, on 10/3/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\COMODO\Firewall\cmdagent.exe C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe C:\WINDOWS\System32\snmp.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\GIGABYTE\ET6\GUI.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe C:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe C:\Program Files\COMODO\Firewall\cfp.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\WinFast\WFTVFM\WFWIZ.exe C:\Program Files\Zune\ZuneLauncher.exe C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\AIM6\aim6.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\Program Files\[email protected]\[email protected]\[email protected] C:\Documents and Settings\Kevin\Application Data\[email protected]\FahCore_82.exe C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\Gomez\GOMEZP~1\jre\bin\java.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [EasyTuneVI] C:\Program Files\GIGABYTE\ET6\ETcall.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [GBTUpd] C:\Program Files\GIGABYTE\GBTUpd\PreRun.exe O4 - HKLM\..\Run: [8169Diag] C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe /hw O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [OpenDNS Update] "C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US EE://aol/imApp O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - Startup: [email protected] = ? O4 - Startup: GomezPEER.lnk = C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} (InstallerCtrl Class) - http://c03.tellmemorecampus.com/bin/tol7inst.cab O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 7706 bytes |
|
| 542. |
Solve : Can someone pls take a look at my logs?? |
|
Answer» Pls HELP me with my logs. Sorry to post the logs here as the uploader is full. Thanks! The HijackThis log looks OK. Go HERE to see how to Delete the old infected Restore Points and create a new clean one. ---------- Use the Secunia Software Inspector to check for out of date software.
---------- Go to Microsoft Windows Update and get all critical updates. ---------- Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC. Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript To prevent unknown applications from being installed on your computer install WinPatrol 2008 * Using Winpatrol to protect your computer from malicious software I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth. |
|
| 543. |
Solve : AVG Startup and Network connect.? |
|
Answer» I run Vista Home Basic x64. I have a cable connection and I use the on board VIA Rhine II ethernet adapter to connect. First of all, no matter what anti-virus I've ever run, the time it takes Vista to connect to the internet has always been slow. I'd say between 10 and twenty seconds. But I've noticed that has also depended on what security software I am running. |
|
| 544. |
Solve : Win32? spybot said needed to manually reinstall it?? |
|
Answer» I ran spybot and it found SPYWARE in two win32 areas? When fixed them spybot said i need to MANUALLY reinstall them? i dont know what win32 is and how to reinstall it. Please help! is there a file i can download to FIX this? |
|
| 545. |
Solve : i did it again...? |
|
Answer» I did all the steps to remove malware (I'll post the logs) I get this pop up when I go to amazon and click the search inside this book |
|
| 546. |
Solve : Help if possible...Microsoft Must Close, IE Errors, Virus?? |
|
Answer» I am NOT an expert with computers as you probably already gather.... would really apprieciate help on getting this poor machine running right again in...I'm not afraid to ask questions and will...So please get me going in the right direction and what to do...I'll do anything except suggesting to give up and through this computer in the garbage...
---------- Install Avast Home Free. Avast! Home Free Edition ---------- Download TrendMicro HijackThis.exe (HJT) to the Desktop.
Probably will have to do all over again... What I did as the deleting and loading went on... I downloaded the Norton removal for Windows 98... When a message came up to delete or not the quarintined items...I freaked and said no... Remember YEARS ago had a worm or something and didn't know if it would come crawling backout...Hope you could tell Anyway did all that you wanted me to do.. Thanks for helping...and hope I could get this working...Let me know what's next... If you see anything else that I could toss I'd be greatful...I don't use the netscape crap... Deb Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:23:01 PM, on 10/8/08 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\NAV\HOTKEY.EXE c:\windows\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATICWD32.EXE C:\PROGRAM FILES\ONLINE SERVICES\PRODIGY\BIN\PIDUNHK.EXE C:\CYBERTRIO\SHOWMODE.EXE C:\PROGRAM FILES\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE C:\Program Files\Mediascape\OnScreen Display\OSD.exe C:\WARNER\WARNER.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\SETUP\AVAST.SETUP R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.hotsearchbox.com/ie/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file) F1 - win.ini: run=c:\windows\OPTIONS\systools\cyxid98.exe N1 - Netscape 4: user_pref("browser.startup.homepage", "http://HOME.netscape.com/"); (C:\Program Files\Netscape\Users\lukesan\prefs.js) O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [PNPCHK] PNPCHK.EXE O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [PiDunHk] "C:\PROGRAM FILES\ONLINE SERVICES\PRODIGY\BIN\PIDUNHK.EXE" O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE O4 - HKLM\..\Run: [CyberTrioModeInfo] C:\CyberTrio\ShowMode.exe O4 - HKLM\..\Run: [FontFix] c:\windows\options\systools\fntfix.exe O4 - HKLM\..\Run: [SystemWizard Sniffer] C:\Program Files\Common Files\SystemSoft\sniffer.exe O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Mediascape\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [OnScreen Display] C:\Program Files\Mediascape\OnScreen Display\OSD.exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [Warner] C:\Warner\Warner.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [krmfgr] C:\WINDOWS\krmfgr.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [EarthLink Installer] " /C O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe O4 - HKLM\..\RunServices: [Winmodem] WINMODEM.101\wmexe.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [HOTKEY] C:\PROGRA~1\NAV\hotkey.exe /AUTO /BAR O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user') O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet (User 'Default user') O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O12 - Plugin for .mov: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPQTW32.DLL O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll O15 - Trusted Zone: http://*.windowsupdate.microsoft.com O15 - Trusted Zone: http://*.windowsupdate.com O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://encarta.msn.com/ActiveX/MSSurVid.cab O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/arcadegames/fallingstars/wtinst.cab O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/175041be21b875c1b718/netzip/RdxIE601.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldwinner.com/games/v40/hangman/hangman.cab O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v44/sol/sol.cab O16 - DPF: {D27FFC5F-D7B9-4349-9F41-F7458B585374} (SoloTriv Control) - http://mirror.worldwinner.com/games/v43/solotriv/solotriv.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://gamingclub.microgaming.com/gamingclub/FlashAX.cab O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldwinner.com/games/v47/blockwerx/blockwerx.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wordmojo/wordmojo.cab O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab O16 - DPF: {84B40160-54E0-4D2F-AC18-A6D31A9AC732} (NavWin Class) - https://jump.navahonetworks.com/navaho/dialerx.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bc.edu/schools/law/lawreviews/meta-elements/journals/wfplayer/tdserver.cab O16 - DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} (Stm Class) - https://mpsnare.iesnare.com/StmOCX.cab O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab O16 - DPF: Monopoly by pogo - http://game3.pogo.com/v/9.1.4.9/applet/monopoly/monopoly-en_US.cab -- End of file - 8593 bytesOpen HijackThis and select Do a system scan only. Place a check MARK next to the following entries: (if there) - R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file) - O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL (file missing) - O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE - O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE - O4 - HKLM\..\Run: [krmfgr] C:\WINDOWS\krmfgr.exe - O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot - O4 - HKLM\..\Run: [EarthLink Installer] " /C - O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup - O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user') - O15 - Trusted Zone: http://*.windowsupdate.microsoft.com - O15 - Trusted Zone: http://*.windowsupdate.com Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system Go to Start > Run and type notepad.exe then click OK Copy and paste the below into Notepad and save as fixme.reg to Your Desktop Code: [Select]REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run] "QuickenSEMessage"=- "BillMinder"=- "krmfgr"=- "TkBellExe"=- "EarthLink Installer"=- "CriticalUpdate"=- Locate fixme.reg on your Desktop and double-click it. Answer YES when prompted to merge with the Registry. Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work. Delete the fixme.reg from the Desktop. ---------- Download CCleaner Slim and save it to your Desktop. When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe Follow the prompts to install the program. Complete the installation then:
Restart the computer! ---------- Download and install SUPERAntiSpyware Free for Home Users
When finished Superantispyware will list all the infections found. Make sure everything found has a check next to it and press Next Then click Finish It is possible that the Superantispyware asks to reboot the PC in order to delete some files. Locate the SuperAntiSpyware log as follows:
It opens in your default text editor (such as Notepad) Post the SuperAntiSpyware log in your reply.Did the system scan... checked and clicked fix check Came up with an error.. modmd5_6??? from Auto???.."/C ERR#5-Improper call Thought I could Copy and paste but couldn't... Then I clicked OK and exited....I could redo it if you want...cant read my writting... Then did the next step.... Adding this stuff to registry and It came out successful.... Now ready to download CCleaner Slim....but I thought to let you know about error and registry before I do this ...I'll wait for responce It should be OK if the registry file was successful. Just go on with the rest of the steps and we will go from there. Did it...3 hours to scan... Do you think that should do it? You are a very patient guy...And I thank You I have a couple little questions...dumb ones.. 1.Should I delete HJT Installation and Setupeng... 2.Noticed when scanning saw some programs... Vbox Installer, Symantec TBYB Norton Anti Virus 200 for Win9y... 3. A9installer_880461 2009 Microsoft Security Warning that poped up yesterday before the cleaning...could I just delete this stuff? Other then that ..I'll check tomorrow to see if you have anything else for me...Thanks.... Should I delete all of these? SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 10/08/2008 at 11:56 PM Application Version : 4.21.1004 Core Rules Database Version : 3593 Trace Rules Database Version: 1580 Scan type : Complete Scan Total Scan Time : 03:01:57 Memory items scanned : 160 Memory threats detected : 0 Registry items scanned : 2452 Registry threats detected : 21 File items scanned : 6888 File threats detected : 2 Adware.SmartPops HKLM\Software\Classes\CLSID\{0421701D-CF13-4E70-ADF0-45A953E7CB8B} HKCR\CLSID\{0421701D-CF13-4E70-ADF0-45A953E7CB8B} HKCR\CLSID\{0421701D-CF13-4E70-ADF0-45A953E7CB8B} HKCR\CLSID\{0421701D-CF13-4E70-ADF0-45A953E7CB8B}\ProgID HKCR\CLSID\{0421701D-CF13-4E70-ADF0-45A953E7CB8B}\VersionIndependentProgID HKCR\CLSID\{0421701D-CF13-4E70-ADF0-45A953E7CB8B}\Programmable HKCR\CLSID\{0421701D-CF13-4E70-ADF0-45A953E7CB8B}\InprocServer32 HKCR\CLSID\{0421701D-CF13-4E70-ADF0-45A953E7CB8B}\InprocServer32#ThreadingModel HKCR\CLSID\{0421701D-CF13-4E70-ADF0-45A953E7CB8B}\TypeLib HKCR\SP.SmartPops.1 HKCR\SP.SmartPops HKCR\TypeLib\{FA777197-4BF7-4AA9-A088-A0D803198DE0} C:\PROGRAM FILES\RECOMMENDED HOTFIX - 421701D\V15\RH.DLL Adware.IST/SideFind HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} Adware.IST/ISTBar (Slotch Bar) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll#.Owner HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll#{386A771C-E96A-421F-8BA7-32F1B706892F} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\Downloaded Program Files\ISTactivex.dll [ ] HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main#BandRest [ Never ] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest [ Never ] Adware.Avenue Media/Internet Optimizer HKU\.DEFAULT\SOFTWARE\Policies\Avenue Media HKLM\SOFTWARE\Policies\Avenue Media Adware.Starware C:\WINDOWS\DESKTOP\WEATHER_DIR.EXE Yes you can delete any installers and anything else you are done with, they are no longer needed. Any problems that remain are most likely not malware related. I suggest posting in the Windows forum if you need help on any other issues that remain. OK...Again thankyou...I hope I don't need to use you again... I'll have to go to the windows forum.. I will keep this folder open till all is done and give you the outcome. The machine is still running slow and things keep running...ByeHello again...I am having trouble with the avast and Super antiantispyware. I posted a message in the windows forum..and was told to have you help with configuring the settings for them or said you would show up soon...What you look at all the posts!...Busy guy Anyway......My computer keeps freezing and the programs keep running and slowing up everything...It's driving me coo coo... Dummy me needs help getting these set right...Thanks |
|
| 547. |
Solve : Run button in Start menu is Invisiable? |
|
Answer» LAST TIME i was doing some mischives with my registery. i was changing the values of different REGWRDS. But after one boot i have noticed that Run BUTTON in Start Menu is gone. CO2 can u help me to BRING that option back to my start menu plzzzzzzzzzzzzzzzzzzzTip: Never mess with the registry if you don't know what you are doing. I found this, seems promising: http://www.gohacking.com/2008/08/how-to-edit-start-menu.htmlBy the way, don't USE any registry cleaning software to fix it either. They can do more harm than good. |
|
| 548. |
Solve : cidaemon.exe...what is this?? |
|
Answer» hi GUYS, my COMPUTER have a problem i think there is some bugs here. every 3 seconds it always pause and its really irritates me. this HAPPENS twice. when i run task manager there is something in the system process that is cidaemon.exe. cidaemon.exe is using for about 60-70 in the CPU but im not running any program except mozilla so i terminated cidaemon.exe but it always RETURN in the process. but i found the cidaemon.exe in the system32 folder that's why i was confused if it is malware or legitimate process. |
|
| 549. |
Solve : Troubles cleaning an unsupported OS? |
|
Answer» Okay,so I have Win 98 SE. Until I get a new comp in several weeks this is what I got to work with.
Now I foun something odd. When I downloaded the cure it,firefox donloaded to and it is on my desktop.? Also My Comp went all black during the first run of Cure it...so I moved the mouse hit a few keys nothing waited around hour while I was busy still black. So I hit Ctrl-Alt-Delete to see if task manger WOULD pop up and rebooted,so I started the scan again Popular Screensavers.scr;C:\WINDOWS\SYSTEM;Adware.Msearch;Incurable.Moved.; dhtmlexe.exe;C:\WINDOWS\SYSTEM;Dialer.Egroup;Incurable.Moved.; clientax.dll;C:\WINDOWS\TEMP;Adware.Zango;Incurable.Moved.; Instant-Access.exe;C:\WINDOWS\TEMP;Dialer.Egroup;Incurable.Moved.; SkillJamLoader.dll;C:\WINDOWS\TEMP\SkillJam\SecurePlayerInstall\InternetExplorer;Program.PopcapLoader.origin;Incurable.Moved.; SkillJamLoader.dll;C:\WINDOWS\All Users\Application Data\SkillJam\SecurePlayer;Program.PopcapLoader.origin;Incurable.Deleted.; HDPlugin1101.dll;C:\WINDOWS\Downloaded Program Files;Adware.Gator;Incurable.Deleted.; HbInstIE.dll;C:\WINDOWS\Downloaded Program Files;Adware.Hotbar;Incurable.Deleted.; InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably MULDROP.Trojan;Incurable.Deleted.; tljphfln.exe;C:\Program Files\Common Files\lhecfllr\nnhllfct;Adware.Gator;Incurable.Deleted.; lejbheebl.exe;C:\Program Files\Common Files\lhecfllr\lnplanhpal;Adware.Gator;Incurable.Deleted.; npclntax.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.Zango;Incurable.Deleted.; Run CCleaner Slim. Any improvements?Yeah it does seem to better,a lot better. Now from my memory if I use the registry option on CCleaner it gives a prompt to save before it actually runs right? Also do you think I should use that option. P.S Yer Awesome!Yes it shows you what will be removed and gives you the option to save a backup before doing the cleaning. Using it is up to you. I personally have never had any problem with it but you never know... You will also want to install and run a good third party defragment tool. There is only one free that works with win98. http://www.majorgeeks.com/Diskeeper_Lite_d1207.htmlWell my system seems to be usable now. It seems that because I can't update Adobe I am having trouble with the Major Geek site. Also can you tell me how I can tell if this comp will be able to run win xp sucessfully. I think I can get a hold of a disk here soon,but I was TOLD I may not have the right 'chip set' w\e that means. And thank you for your time.Hmm, I wasn't aware of any problems with Adobe and win98. Have you tried visiting the Adobe site and download or update it there? Quote Also can you tell me how I can tell if this comp will be able to run win xp sucessfully. I'm not much on hardware but you will not be able to install XP on a 98/me machine unless you do some major upgrading of the processor, motherboard and probably a few other things. Buying a new system would likely be cheaper. I still have a functioning Win98 and each year there are fewer and fewer programs that work with it. Eventually they are going to be nothing but junk. Pretty much how Win95 is now...I have not went to the site,but when it asked me to update and I click yes it something about an unsuported sytem and direct me to the site. I have a friend that may have some extra parts but I do not think he has a motherboard. So yeah it works and thats all I care about for now. Thanks.Is it the Adobe reader?Do you want to install and run "Adobe Flash Player installer' signed on 10\04\08 ....I click yes and get something like you are trying to get adobe flash on an unsupported system... I get this adobe flash box everytime I go to major geeks. I also get some kind of box that says my system can not run major geeks and must ABORT ...something like it comes and goes to quit to read it all. |
|
| 550. |
Solve : ok not shure whats wrong? |
|
Answer» i recently got a computer from a friend who was moving when i start it up everythings fine win2000 starts then a error message appears. it says explorer.exe has generated errors and will be shut down by whndows. afterthat all that comes up is a background IMAGE besides that the screen is blank, nothing to click on. ive control alt deleted couldnt figure out anything i rebooted in safe mode with DOS screen and saw all the files seemed to be on there. i just cant figure out whatsoever wrong or how to correct this problem anyone got any ideas?When you press CTRL + ALT + Delete, do you get Task Manager? |
|
