InterviewSolution
Saved Bookmarks
InterviewSolution
This section includes InterviewSolutions, each offering curated multiple-choice questions to sharpen your knowledge and support exam preparation. Choose a topic below to get started.
| 351. |
Solve : Rootkit file ksfvjxai.sys?? |
|
Answer» Hi
This is the Combofix log file, posted via another workstation: ComboFix 10-12-06.04 - Nashir 07/12/2010 18:34:01.3.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2006.975 [GMT 0:00] Running from: c:\users\Nashir\Desktop\COMMY.exe Command switches used :: c:\users\Nashir\Desktop\CFScript.txt SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} FILE :: "c:\windows\System32\Drivers\ksfvjxai.sys" "c:\windows\system32\drivers\rqmophar.sys" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_KSFVJXAI -------\Service_ksfvjxai -------\Service_rqmophar ((((((((((((((((((((((((( Files Created from 2010-11-07 to 2010-12-07 ))))))))))))))))))))))))))))))) . 2010-12-07 18:41 . 2010-12-07 18:47--------d-----w-c:\users\Nashir\AppData\Local\temp 2010-12-07 18:41 . 2010-12-07 18:41--------d-----w-c:\users\Default\AppData\Local\temp 2010-12-07 06:18 . 2010-11-10 04:336273872----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{F9428589-8403-4598-AA85-7DE96BAFB4D5}\mpengine.dll 2010-12-06 21:07 . 2010-12-06 21:08--------d-----w-c:\program files\CCleaner 2010-12-06 20:53 . 2010-12-06 20:53--------d-----w-c:\program files\Common Files\Java 2010-12-06 20:53 . 2010-09-15 04:50472808----a-w-c:\windows\system32\deployJava1.dll 2010-12-06 09:37 . 2010-12-06 09:37--------d-----w-c:\users\LogMeInRemoteUser 2010-12-06 07:05 . 2010-12-06 07:05--------d-----w-c:\users\Nashir\AppData\Local\LogMeIn 2010-12-06 07:04 . 2010-12-01 15:0453632----a-w-c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll 2010-12-06 07:04 . 2010-12-01 15:0429568----a-w-c:\windows\system32\LMIport.dll 2010-12-06 07:04 . 2010-12-01 15:0483360----a-w-c:\windows\system32\LMIRfsClientNP.dll 2010-12-06 07:04 . 2010-09-17 15:4047640----a-w-c:\windows\system32\drivers\LMIRfsDriver.sys 2010-12-06 07:04 . 2010-12-01 15:0487424----a-w-c:\windows\system32\LMIinit.dll 2010-12-06 07:04 . 2010-12-07 06:13--------d-----w-c:\programdata\LogMeIn 2010-12-06 07:04 . 2010-12-06 07:04--------d-----w-c:\program files\LogMeIn 2010-12-05 19:22 . 2010-12-05 19:22--------d-----w-c:\users\Nashir\AppData\Roaming\SUPERAntiSpyware.com 2010-12-05 19:22 . 2010-12-05 19:22--------d-----w-c:\programdata\SUPERAntiSpyware.com 2010-12-05 19:21 . 2010-12-05 19:22--------d-----w-c:\program files\SUPERAntiSpyware 2010-12-05 19:06 . 2010-12-05 19:06388096----a-r-c:\users\Nashir\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-12-05 19:06 . 2010-12-05 19:06--------d-----w-c:\program files\Trend Micro 2010-12-05 16:12 . 2010-05-26 10:4518816------w-c:\windows\system32\SAVRKBootTasks.sys 2010-12-05 13:25 . 2010-12-05 13:25--------d-----w-c:\program files\Sophos 2010-12-05 13:06 . 2010-12-05 13:06--------d-----w-c:\program files\Unlocker 2010-11-25 09:14 . 2010-10-19 04:277680----a-w-c:\program files\Internet Explorer\iecompat.dll 2010-11-23 17:23 . 2009-06-30 10:3728552----a-w-c:\windows\system32\drivers\pavboot.sys 2010-11-20 18:23 . 2010-11-20 18:23--------d-----w-c:\users\Nashir\AppData\Roaming\PCDr 2010-11-10 10:59 . 2010-10-07 11:372409784----a-w-c:\program files\Windows Mail\OESpamFilter.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-12-07 18:43 . 2010-09-25 08:48843264----a-w-c:\windows\system32\drivers\ksfvjxai.sys 2010-11-29 17:42 . 2010-07-16 19:5538224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-29 17:42 . 2010-07-16 19:5520952----a-w-c:\windows\system32\drivers\mbam.sys 2010-10-19 10:41 . 2009-10-04 18:05222080------w-c:\windows\system32\MpSigStub.exe 2010-09-17 15:39 . 2010-09-17 15:3925248----a-w-c:\windows\system32\lmimirr.dll 2010-09-17 15:39 . 2010-09-17 15:3911552----a-w-c:\windows\system32\lmimirr2.dll 2010-09-17 15:39 . 2010-09-17 15:3910144----a-w-c:\windows\system32\drivers\lmimirr.sys 2010-09-13 13:56 . 2010-10-13 09:078147456----a-w-c:\windows\system32\wmploc.DLL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-25 39408] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-01 1422632] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-01 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-01 178712] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-01 154136] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304] "Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296] "Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536] "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064] "SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816] "diagnostics"="c:\program files\Thomson\ST330\diagnostics\diagnostics.exe" [2009-06-23 557149] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008] "btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-15 202256] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288] "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] c:\users\Nashir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-11-18 780840] c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2009-09-22 13:5816680----a-w-c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"="" "FirewallOverride"="" R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 135664] S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-20 81920] S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648] S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-12-24 29736] S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2008-10-28 135936] S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-01 112128] S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-10-08 212992] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcsREG_MULTI_SZ BthServ LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache . Contents of the 'Scheduled Tasks' folder 2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12] 2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12] 2010-05-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22] 2009-07-31 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22] 2010-12-07 c:\windows\Tasks\ParetoLogic Registration3.job - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01] 2010-12-06 c:\windows\Tasks\ParetoLogic Update Version3.job - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01] 2010-12-03 c:\windows\Tasks\PC Health Advisor Defrag.job - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40] 2010-10-27 c:\windows\Tasks\PC Health Advisor.job - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40] 2010-12-07 c:\windows\Tasks\User_Feed_Synchronization-{E7640368-FDBF-4942-94A0-18CC59282571}.job - c:\windows\system32\msfeedssync.exe [2010-10-13 04:25] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bbc.co.uk/ mWindow Title = Microsoft Internet Explorer Provided by Wanadoo uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm . ************************************************************************** scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\2107.tmp" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}] "ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\st330service] "ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'Explorer.exe'(5560) c:\program files\Unlocker\UnlockerHook.dll c:\progra~1\mcafee\SITEAD~1\saHook.dll c:\windows\system32\btmmhook.dll c:\windows\system32\btncopy.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe c:\program files\Thomson\ST330\service\st330service.exe c:\windows\system32\msinfo32.exe c:\windows\System32\WLTRYSVC.EXE c:\windows\System32\bcmwltry.exe c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\program files\LogMeIn\x86\LMIGuardianSvc.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\McAfee\SiteAdvisor\McSACore.exe c:\program files\Common Files\Motive\McciCMService.exe c:\windows\system32\rundll32.exe c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\progra~1\McAfee\VIRUSS~1\mcshield.exe c:\program files\McAfee\MPF\MPFSrv.exe c:\program files\McAfee\MSK\MskSrver.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\mcafee.com\agent\mcagent.exe c:\windows\system32\igfxsrvc.exe c:\windows\ehome\ehmsas.exe c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\program files\Synaptics\SynTP\SynTPHelper.exe c:\windows\system32\WerFault.exe c:\program files\Dell Support Center\bin\sprtsvc.exe . ************************************************************************** . Completion time: 2010-12-07 18:53:44 - machine was rebooted ComboFix-quarantined-files.txt 2010-12-07 18:53 ComboFix2.txt 2010-12-06 07:29 ComboFix3.txt 2010-12-04 18:43 Pre-Run: 172,233,457,664 bytes free Post-Run: 171,874,471,936 bytes free - - End Of File - - 5B2C30AC82EE04F5A32589E7617084B5 Interesting - rebooted the machine again, and IE is back up and running. However ksfvjxai.sys is still there. KOk. Let's try this one more time. Re-running ComboFix to remove infections:
Please run the SysProt Antirootkit as instructed in Reply #12Hi Ran combofix - it updated itself; then I ran it again as requested. PC rebooted then it did a chkdisk, rebooted but no log was produced, so I ran combofix again. This time log was produced - as below: ComboFix 10-12-08.04 - Nashir 09/12/2010 12:55:21.4.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2006.846 [GMT 0:00] Running from: c:\users\Nashir\Desktop\COMMY.exe Command switches used :: c:\users\Nashir\Desktop\CFScript.txt SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} FILE :: "c:\windows\system32\drivers\ksfvjxai.sys" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1DE.tmp c:\windows\system32\drivers\ksfvjxai.sys . ((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 ))))))))))))))))))))))))))))))) . 2010-12-09 13:03 . 2010-12-09 13:06--------d-----w-c:\users\Nashir\AppData\Local\temp 2010-12-09 13:03 . 2010-12-09 13:03--------d-----w-c:\users\Default\AppData\Local\temp 2010-12-09 12:39 . 2010-12-09 12:39--------d-----w-C:\found.000 2010-12-07 06:18 . 2010-11-10 04:336273872----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{F9428589-8403-4598-AA85-7DE96BAFB4D5}\mpengine.dll 2010-12-06 21:07 . 2010-12-06 21:08--------d-----w-c:\program files\CCleaner 2010-12-06 20:53 . 2010-12-06 20:53--------d-----w-c:\program files\Common Files\Java 2010-12-06 20:53 . 2010-09-15 04:50472808----a-w-c:\windows\system32\deployJava1.dll 2010-12-06 09:37 . 2010-12-06 09:37--------d-----w-c:\users\LogMeInRemoteUser 2010-12-06 07:05 . 2010-12-06 07:05--------d-----w-c:\users\Nashir\AppData\Local\LogMeIn 2010-12-06 07:04 . 2010-12-01 15:0453632----a-w-c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll 2010-12-06 07:04 . 2010-12-01 15:0429568----a-w-c:\windows\system32\LMIport.dll 2010-12-06 07:04 . 2010-12-01 15:0483360----a-w-c:\windows\system32\LMIRfsClientNP.dll 2010-12-06 07:04 . 2010-09-17 15:4047640----a-w-c:\windows\system32\drivers\LMIRfsDriver.sys 2010-12-06 07:04 . 2010-12-01 15:0487424----a-w-c:\windows\system32\LMIinit.dll 2010-12-06 07:04 . 2010-12-09 12:25--------d-----w-c:\programdata\LogMeIn 2010-12-06 07:04 . 2010-12-06 07:04--------d-----w-c:\program files\LogMeIn 2010-12-05 19:22 . 2010-12-05 19:22--------d-----w-c:\users\Nashir\AppData\Roaming\SUPERAntiSpyware.com 2010-12-05 19:22 . 2010-12-05 19:22--------d-----w-c:\programdata\SUPERAntiSpyware.com 2010-12-05 19:21 . 2010-12-05 19:22--------d-----w-c:\program files\SUPERAntiSpyware 2010-12-05 19:06 . 2010-12-05 19:06388096----a-r-c:\users\Nashir\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-12-05 19:06 . 2010-12-05 19:06--------d-----w-c:\program files\Trend Micro 2010-12-05 16:12 . 2010-05-26 10:4518816------w-c:\windows\system32\SAVRKBootTasks.sys 2010-12-05 13:25 . 2010-12-05 13:25--------d-----w-c:\program files\Sophos 2010-12-05 13:06 . 2010-12-05 13:06--------d-----w-c:\program files\Unlocker 2010-11-25 09:14 . 2010-10-19 04:277680----a-w-c:\program files\Internet Explorer\iecompat.dll 2010-11-23 17:23 . 2009-06-30 10:3728552----a-w-c:\windows\system32\drivers\pavboot.sys 2010-11-20 18:23 . 2010-11-20 18:23--------d-----w-c:\users\Nashir\AppData\Roaming\PCDr 2010-11-10 10:59 . 2010-10-07 11:372409784----a-w-c:\program files\Windows Mail\OESpamFilter.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-29 17:42 . 2010-07-16 19:5538224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-29 17:42 . 2010-07-16 19:5520952----a-w-c:\windows\system32\drivers\mbam.sys 2010-10-19 10:41 . 2009-10-04 18:05222080------w-c:\windows\system32\MpSigStub.exe 2010-09-17 15:39 . 2010-09-17 15:3925248----a-w-c:\windows\system32\lmimirr.dll 2010-09-17 15:39 . 2010-09-17 15:3911552----a-w-c:\windows\system32\lmimirr2.dll 2010-09-17 15:39 . 2010-09-17 15:3910144----a-w-c:\windows\system32\drivers\lmimirr.sys 2010-09-13 13:56 . 2010-10-13 09:078147456----a-w-c:\windows\system32\wmploc.DLL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-25 39408] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-01 1422632] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-01 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-01 178712] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-01 154136] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304] "Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296] "Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536] "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064] "SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816] "diagnostics"="c:\program files\Thomson\ST330\diagnostics\diagnostics.exe" [2009-06-23 557149] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008] "btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-15 202256] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288] "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] c:\users\Nashir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-11-18 780840] c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2009-09-22 13:5816680----a-w-c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"="" "FirewallOverride"="" R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 135664] R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\2107.tmp R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [2008-11-04 22904] R3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2009-06-23 30464] R3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2009-06-23 12672] R3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [2009-06-23 35328] R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504] S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656] S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-05-26 18816] S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-20 81920] S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648] S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-12-01 374152] S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-09-17 12856] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176] S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-12-24 29736] S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2008-10-28 135936] S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-01 112128] S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-10-08 212992] S3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\DRIVERS\OA008Ufd.sys [2009-02-10 133472] S3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\DRIVERS\OA008Vid.sys [2009-02-10 271616] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcsREG_MULTI_SZ BthServ LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache . Contents of the 'Scheduled Tasks' folder 2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12] 2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12] 2010-05-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22] 2009-07-31 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22] 2010-12-08 c:\windows\Tasks\ParetoLogic Registration3.job - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01] 2010-12-06 c:\windows\Tasks\ParetoLogic Update Version3.job - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01] 2010-12-03 c:\windows\Tasks\PC Health Advisor Defrag.job - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40] 2010-12-08 c:\windows\Tasks\PC Health Advisor.job - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40] 2010-12-09 c:\windows\Tasks\User_Feed_Synchronization-{E7640368-FDBF-4942-94A0-18CC59282571}.job - c:\windows\system32\msfeedssync.exe [2010-10-13 04:25] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bbc.co.uk/ mWindow Title = Microsoft Internet Explorer Provided by Wanadoo uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm . ************************************************************************** scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\2107.tmp" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}] "ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\st330service] "ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'Explorer.exe'(5260) c:\program files\Unlocker\UnlockerHook.dll c:\progra~1\mcafee\SITEAD~1\saHook.dll c:\windows\system32\btmmhook.dll c:\windows\system32\btncopy.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe c:\program files\Thomson\ST330\service\st330service.exe c:\windows\system32\msinfo32.exe c:\windows\System32\WLTRYSVC.EXE c:\windows\System32\bcmwltry.exe c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\Common Files\Motive\McciCMService.exe c:\windows\system32\rundll32.exe c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\progra~1\McAfee\VIRUSS~1\mcshield.exe c:\program files\McAfee\MPF\MPFSrv.exe c:\program files\McAfee\MSK\MskSrver.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\mcafee.com\agent\mcagent.exe c:\windows\system32\igfxsrvc.exe c:\windows\ehome\ehmsas.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe c:\program files\Synaptics\SynTP\SynTPHelper.exe c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\\?\c:\windows\system32\wbem\WMIADAP.EXE . ************************************************************************** . Completion time: 2010-12-09 13:12:37 - machine was rebooted ComboFix-quarantined-files.txt 2010-12-09 13:12 ComboFix2.txt 2010-12-07 18:53 ComboFix3.txt 2010-12-06 07:29 ComboFix4.txt 2010-12-04 18:43 Pre-Run: 171,817,422,848 bytes free Post-Run: 171,800,563,712 bytes free - - End Of File - - 6032CFF263D7A9F7AE41285A75E31A06 Then ran Sysprot as directed - log below: SysProt AntiRootkit v1.0.1.0 by swatkat ****************************************************************************************** ****************************************************************************************** No Hidden Processes found ****************************************************************************************** ****************************************************************************************** Kernel Modules: Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys Service Name: --- Module Base: 8C400000 Module End: 8C40B000 Hidden: Yes Module Name: \SystemRoot\System32\Drivers\dump_msahci.sys Service Name: --- Module Base: 8C1F3000 Module End: 8C1FD000 Hidden: Yes ****************************************************************************************** ****************************************************************************************** No SSDT Hooks found ****************************************************************************************** ****************************************************************************************** Kernel Hooks: Hooked Function: ZwCreateUserProcess At Address: 82BD7B82 Jump To: 8D343766 Module Name: C:\Windows\system32\drivers\mfehidk.sys Hooked Function: ZwYieldExecution At Address: 82A399D2 Jump To: 8D3437CC Module Name: C:\Windows\system32\drivers\mfehidk.sys Hooked Function: ZwUnmapViewOfSection At Address: 82C1E7BD Jump To: 8D3437F6 Module Name: C:\Windows\system32\drivers\mfehidk.sys Hooked Function: ZwTerminateProcess At Address: 82BFEDA3 Jump To: 8D34380F Module Name: C:\Windows\system32\drivers\mfehidk.sys Hooked Function: ZwSetInformationProcess At Address: 82C22528 Jump To: 8D34377A Module Name: C:\Windows\system32\drivers\mfehidk.sys Hooked Function: ZwSetContextThread At Address: 82CA03C7 Jump To: 8D34378E Module Name: C:\Windows\system32\drivers\mfehidk.sys Hooked Function: ZwProtectVirtualMemory At Address: 82C27F3D Jump To: 8D3437B6 Module Name: C:\Windows\system32\drivers\mfehidk.sys Hooked Function: ZwOpenThread At Address: 82C2A15A Jump To: 8D343728 Module Name: C:\Windows\system32\drivers\mfehidk.sys Hooked Function: ZwOpenProcess At Address: 82C2EC08 Jump To: 8D343714 Module Name: C:\Windows\system32\drivers\mfehidk.sys Hooked Function: ZwMapViewOfSection At Address: 82C1E4FA Jump To: 8D3437E0 Module Name: C:\Windows\system32\drivers\mfehidk.sys Hooked Function: ZwCreateProcessEx At Address: 82C9F90A Jump To: 8D343750 Module Name: C:\Windows\system32\drivers\mfehidk.sys Hooked Function: ZwCreateProcess At Address: 82C9F8BF Jump To: 8D34373C Module Name: C:\Windows\system32\drivers\mfehidk.sys Hooked Function: ZwCreateFile At Address: 82C4FE5B Jump To: 8D3437A2 Module Name: C:\Windows\system32\drivers\mfehidk.sys Hooked Function: PsSetContextThread At Address: 82CA03C7 Jump To: 8D34378E Module Name: C:\Windows\system32\drivers\mfehidk.sys ****************************************************************************************** ****************************************************************************************** Hidden files/folders: Object: C:\Qoobox\BackEnv\AppData.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Cache.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Cookies.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Desktop.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Favorites.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\History.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Music.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\NetHood.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Personal.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Pictures.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\PrintHood.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Profiles.Folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Programs.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Recent.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\SendTo.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\SetPath.bat Status: Access denied Object: C:\Qoobox\BackEnv\StartMenu.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\StartUp.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\SysPath.dat Status: Access denied Object: C:\Qoobox\BackEnv\Templates.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\VikPev00 Status: Access denied Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Status: Access denied Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl Status: Access denied Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl Status: Access denied Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Status: Access denied Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl Status: Access denied Re-running ComboFix to remove infections:
I'd like to scan your machine with ESET OnlineScan •Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan •Click the button. •For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
•Click the button. •Accept any security warnings from your browser. •Check •Push the Start button. •ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. •When the scan completes, push •Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. •Push the button. •Push A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt Combofix log: ComboFix 10-12-09.02 - Nashir 10/12/2010 7:40.5.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2006.995 [GMT 0:00] Running from: c:\users\Nashir\Desktop\COMMY.exe Command switches used :: c:\users\Nashir\Desktop\CFScript.txt SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} FILE :: "C:\found.000" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\users\Nashir\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3A35.tmp . ((((((((((((((((((((((((( Files Created from 2010-11-10 to 2010-12-10 ))))))))))))))))))))))))))))))) . 2010-12-10 07:49 . 2010-12-10 07:52--------d-----w-c:\users\Nashir\AppData\Local\temp 2010-12-10 07:49 . 2010-12-10 07:49--------d-----w-c:\users\Default\AppData\Local\temp 2010-12-09 12:39 . 2010-12-09 12:39--------d-----w-C:\found.000 2010-12-07 06:18 . 2010-11-10 04:336273872----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{F9428589-8403-4598-AA85-7DE96BAFB4D5}\mpengine.dll 2010-12-06 21:07 . 2010-12-06 21:08--------d-----w-c:\program files\CCleaner 2010-12-06 20:53 . 2010-12-06 20:53--------d-----w-c:\program files\Common Files\Java 2010-12-06 20:53 . 2010-09-15 04:50472808----a-w-c:\windows\system32\deployJava1.dll 2010-12-06 09:37 . 2010-12-06 09:37--------d-----w-c:\users\LogMeInRemoteUser 2010-12-06 07:05 . 2010-12-06 07:05--------d-----w-c:\users\Nashir\AppData\Local\LogMeIn 2010-12-06 07:04 . 2010-12-01 15:0453632----a-w-c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll 2010-12-06 07:04 . 2010-12-01 15:0429568----a-w-c:\windows\system32\LMIport.dll 2010-12-06 07:04 . 2010-12-01 15:0483360----a-w-c:\windows\system32\LMIRfsClientNP.dll 2010-12-06 07:04 . 2010-09-17 15:4047640----a-w-c:\windows\system32\drivers\LMIRfsDriver.sys 2010-12-06 07:04 . 2010-12-01 15:0487424----a-w-c:\windows\system32\LMIinit.dll 2010-12-06 07:04 . 2010-12-10 07:25--------d-----w-c:\programdata\LogMeIn 2010-12-06 07:04 . 2010-12-06 07:04--------d-----w-c:\program files\LogMeIn 2010-12-05 19:22 . 2010-12-05 19:22--------d-----w-c:\users\Nashir\AppData\Roaming\SUPERAntiSpyware.com 2010-12-05 19:22 . 2010-12-05 19:22--------d-----w-c:\programdata\SUPERAntiSpyware.com 2010-12-05 19:21 . 2010-12-05 19:22--------d-----w-c:\program files\SUPERAntiSpyware 2010-12-05 19:06 . 2010-12-05 19:06388096----a-r-c:\users\Nashir\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-12-05 19:06 . 2010-12-05 19:06--------d-----w-c:\program files\Trend Micro 2010-12-05 16:12 . 2010-05-26 10:4518816------w-c:\windows\system32\SAVRKBootTasks.sys 2010-12-05 13:25 . 2010-12-05 13:25--------d-----w-c:\program files\Sophos 2010-12-05 13:06 . 2010-12-05 13:06--------d-----w-c:\program files\Unlocker 2010-11-25 09:14 . 2010-10-19 04:277680----a-w-c:\program files\Internet Explorer\iecompat.dll 2010-11-23 17:23 . 2009-06-30 10:3728552----a-w-c:\windows\system32\drivers\pavboot.sys 2010-11-20 18:23 . 2010-11-20 18:23--------d-----w-c:\users\Nashir\AppData\Roaming\PCDr 2010-11-10 10:59 . 2010-10-07 11:372409784----a-w-c:\program files\Windows Mail\OESpamFilter.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-29 17:42 . 2010-07-16 19:5538224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-29 17:42 . 2010-07-16 19:5520952----a-w-c:\windows\system32\drivers\mbam.sys 2010-10-19 10:41 . 2009-10-04 18:05222080------w-c:\windows\system32\MpSigStub.exe 2010-09-17 15:39 . 2010-09-17 15:3925248----a-w-c:\windows\system32\lmimirr.dll 2010-09-17 15:39 . 2010-09-17 15:3911552----a-w-c:\windows\system32\lmimirr2.dll 2010-09-17 15:39 . 2010-09-17 15:3910144----a-w-c:\windows\system32\drivers\lmimirr.sys 2010-09-13 13:56 . 2010-10-13 09:078147456----a-w-c:\windows\system32\wmploc.DLL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-25 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-01 1422632] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-01 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-01 178712] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-01 154136] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304] "Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296] "Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536] "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064] "SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816] "diagnostics"="c:\program files\Thomson\ST330\diagnostics\diagnostics.exe" [2009-06-23 557149] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008] "btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-15 202256] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288] "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] c:\users\Nashir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-11-18 780840] c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2009-09-22 13:5816680----a-w-c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"="" "FirewallOverride"="" R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 135664] R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\2107.tmp R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [2008-11-04 22904] R3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2009-06-23 30464] R3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2009-06-23 12672] R3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [2009-06-23 35328] R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504] S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656] S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-05-26 18816] S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-20 81920] S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648] S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-12-01 374152] S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-09-17 12856] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176] S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-12-24 29736] S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2008-10-28 135936] S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-01 112128] S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-10-08 212992] S3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\DRIVERS\OA008Ufd.sys [2009-02-10 133472] S3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\DRIVERS\OA008Vid.sys [2009-02-10 271616] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcsREG_MULTI_SZ BthServ LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache . Contents of the 'Scheduled Tasks' folder 2010-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12] 2010-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-25 20:12] 2010-05-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22] 2009-07-31 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22] 2010-12-09 c:\windows\Tasks\ParetoLogic Registration3.job - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01] 2010-12-06 c:\windows\Tasks\ParetoLogic Update Version3.job - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01] 2010-12-10 c:\windows\Tasks\PC Health Advisor Defrag.job - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40] 2010-12-08 c:\windows\Tasks\PC Health Advisor.job - c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40] 2010-12-09 c:\windows\Tasks\User_Feed_Synchronization-{E7640368-FDBF-4942-94A0-18CC59282571}.job - c:\windows\system32\msfeedssync.exe [2010-10-13 04:25] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bbc.co.uk/ mWindow Title = Microsoft Internet Explorer Provided by Wanadoo uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm . ************************************************************************** scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\2107.tmp" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}] "ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\st330service] "ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'Explorer.exe'(2260) c:\program files\Unlocker\UnlockerHook.dll c:\progra~1\mcafee\SITEAD~1\saHook.dll c:\windows\system32\btmmhook.dll c:\windows\system32\btncopy.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe c:\program files\Thomson\ST330\service\st330service.exe c:\windows\system32\msinfo32.exe c:\windows\System32\WLTRYSVC.EXE c:\windows\System32\bcmwltry.exe c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\Common Files\Motive\McciCMService.exe c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\progra~1\McAfee\VIRUSS~1\mcshield.exe c:\windows\system32\rundll32.exe c:\program files\McAfee\MPF\MPFSrv.exe c:\program files\McAfee\MSK\MskSrver.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\mcafee.com\agent\mcagent.exe c:\windows\system32\igfxsrvc.exe c:\windows\ehome\ehmsas.exe c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe c:\program files\Synaptics\SynTP\SynTPHelper.exe c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\program files\Dell Support Center\bin\sprtsvc.exe . ************************************************************************** . Completion time: 2010-12-10 07:57:47 - machine was rebooted ComboFix-quarantined-files.txt 2010-12-10 07:57 ComboFix2.txt 2010-12-09 13:12 ComboFix3.txt 2010-12-07 18:53 ComboFix4.txt 2010-12-06 07:29 ComboFix5.txt 2010-12-10 07:36 Pre-Run: 173,336,719,360 bytes free Post-Run: 173,376,696,320 bytes free - - End Of File - - AAC0C20AE4A5A48FA054BEB3609F144C I need to see the ESET scan log.Sorry - as below: C:\Qoobox\Quarantine\C\Users\Nashir\AppData\Local\{20B77007-BD36-42C6-8C5E-53C7139A1BBE}\chrome\content\overlay.xul.virprobably a variant of Win32/Agent.NVQFFQI trojancleaned by deleting - quarantined C:\Qoobox\Quarantine\C\Windows\System32\drivers\ksfvjxai.sys.vira variant of Win32/Bubnix.BB trojancleaned by deleting - quarantined C:\Users\Nashir\Desktop\unlocker1.9.0.exeWin32/Adware.ADON applicationdeleted - quarantined That looks good. How's your computer working?Hi Dave, looks fully functional, IE is responsive, no hangs or CRASHES, the ksfvjxai.sys file is gone, which is good! Was it the updated Combofix that killed the unwanted processes? KQuote Was it the updated Combofix that killed the unwanted processes?I don't wish to discuss this in an open forum. The bad guys are probably watching. Let's do some cleanup. * Click START then RUN - Vista users press the Windows Key and the R keys together for the Run box. * Now type COMMY /uninstall in the runbox * Make sure there's a space between COMMY and /Uninstall * Then hit Enter * The above procedure will: * Delete the following: * ComboFix and its associated files and folders. * Reset the clock SETTINGS. * Hide file extensions, if required. * Hide System/Hidden files, if required. * Set a new, clean Restore Point. ***************************************** Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. *********************************** Use the Secunia Software Inspector to check for out of date software. •Click Start Now •Check the box next to Enable thorough system inspection. •Click Start •Allow the scan to finish and scroll down to see if any updates are needed. •Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, VIRUSES and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly. Safe Surfing! Great site and very helpful ...its great to be here! |
|
| 352. |
Solve : sdbot detected in webroot spysweeper 2011 and some weird file call hn.exe? |
|
Answer» When I ran a webroot spysweeper 2011 full scan, it detected something call sdbot. Also when I run a eset online scan, it detects something call hn.exe in the c:/recycler/(bunch of numbers and letters here)/hn.exe. When I try to go into that folder, I can't find it anywhere even though view hidden folders is checked. Here are my logs. hn.exeHere. Quote sdbotHere. Quote Firstly, I don't understand how come there is no guarantee for the security of my computer even after the removal process. How does the backdoor function? Backdoor Trojan Quote is the backdoor trojan similar to a keylogger? For example, can they read what I am typing as of now? Do they know what I am doing on this computer for every moment I'm on it?Keyloggers. Quote And lastly, if my computer is disconnected from the internet, the hacker will have no way of accessing my computer, right?Correct. It is isolated from all outside influences but it must be a physical disconnect such as unplugging the cable from the MODEM. Quote Would Comodo Firewall detect any outgoing connections that are used to send crucial system and personal information to the hacker?That is correct. That's why it's so important to block out-going traffic.Quote from: SuperDave on December 05, 2010, 04:03:40 PM QuoteWould Comodo Firewall detect any outgoing connections that are used to send crucial system and personal information to the hacker?Correct. It is isolated from all outside influences but it must be a physical disconnect such as unplugging the cable from the modem. As you noted previously though SD once the system is compromised like this, you cannot trust any of the software that is installed, firewalls included.I read all of them and what I still don't know is, what is hn.exe? For some reason when I type c:\recycler\k-1-3542-4232123213-7676767-8888886\ into my windows explorer, it automatically erases. And about the keylogger, "is the backdoor trojan similar to a keylogger? For example, can they read what I am typing as of now? Do they know what I am doing on this computer for every moment I'm on it?" I can't find anywhere on that site that answers this. I knew what it does but it doesn't answer my question. I was going to ask about the backdoor trojan and why its still not safe but BC_Programmer just answer two of my questions a few minutes earlier before I was about to post, thanks lol. So does this mean the 100% outgoing traffic from chrome.exe from comodo firewall as of this post can not be trusted? Quote from: iusexp on December 05, 2010, 09:43:13 PM So does this mean the 100% outgoing traffic from chrome.exe from comodo firewall as of this post can not be trusted? Basically, it goes like this. With malware/viruses like this, you can never be sure if they installed a rootkit, or other "hider" type of malware. For example, the reason you cannot see hn.exe is because it is, most likely, hidden to the Windows API (which most windows programs use to view files) Technically, this is done rather easily by redirecting all calls to the file find functions, like FindFirstFile, FindNextFile, as well as the functions to open files (CreateFile) and if the file is something the malware wants to "hide" returning a value that says "file not found" or simply skipping that file; otherwise, it will just pass along all the various stuff it was given to the standard Windows function (so you can still see all other files and everything "seems" normal. This same thing can be done for anything; network activity can be hidden to firewalls by simply not allowing the firewalls to see that activity; it's not as hard as it may seem, either. Some firewalls hook directly into the network driver; but a rootkit can always replace that network driver with it's own and simply not tell the firewall about the malicious activity. The entire point of a rootkit is to make a computer seem clean when it really isn't. So, you might wonder how the online scan found the file, if it's so well hidden. Most AV programs don't rely merely on the windows API; some go directly to the disk or file-system driver level and retrieve file information that way, and in most cases this goes below any rootkit-type malware and allows it to see the files that would be otherwise hidden. Quote from: iusexp on December 05, 2010, 09:43:13 PM is the backdoor trojan similar to a keylogger?There is some confusion here; A virus/malware doesn't have to be merely one form or another; most malware counts as a number of various "classes". a backdoor is merely a way for the malware writer to gain access to your PC; these are often hidden with root kits (so you and your AV (unless properly designed) cannot see the port it's keeping open, and oftentimes they throw in a keylogger portion as a extra bonus (which is usually also hidden by the rootkit) Any time you are connected to the net the PC/malware could be uploading your keystrokes to a remote server; the activity could be hidden, and you'd never be the wiser. Of course unplugging the network cable could circumvent this, but for all we can guess the program simply logs the keystrokes to a file and then the next time it has access uploads them elsewhere; the malware writer at that point can go through your keystrokes looking for things like web passwords and especially passwords/information that gives them access to finances, paypal, ebay, and so forth. There is no way to know what parts are present, even when you use a special rootkirevealer, you can't know if it found all the various bits; and if one thing remains it could very well be used to rebuild the others, and so on. I was going to ask about the backdoor trojan and why its still not safe but BC_Programmer just answer two of my questions a few minutes earlier before I was about to post, thanks lol. So does this mean the 100% outgoing traffic from chrome.exe from comodo firewall as of this post can not be trusted? [/quote]Wow! scary stuff. This raises another question. Can the hacker access my data when my computer is turn off when it is still physically connected to the internet? Because if the computer is really stealing my data when I am online. I should be lagging right? So far I haven't notice this yet. Unless the hacker can control the sending speed to a minimum level, in which case I wouldn't notice the lag difference?Quote from: iusexp on December 06, 2010, 10:36:28 AM Wow! scary stuff. This raises another question. Can the hacker access my data when my computer is turn off when it is still physically connected to the internet?The computer could be sending the "logs" at regular intervals. There is absolutely no way to know. It's all hidden from you. It could be accumulating the logs until there is a connection and sending them off. Quote Because if the computer is really stealing my data when I am online. I should be lagging right?err... no... that doesn't even make much sense. a few days worth of keystrokes might be a few hundred K. Oh my bad, I meant, wouldn't I lag when it sends the data? Like, I would lag for a few seconds when it is sending the few hundred K. Okay, I just want to give it a shot by cleaning it before I reformat. Superdave, are you still there?I fully realize it's a bi*** to reformat but it would really be worth the effort to get a clean computer.Quote from: iusexp on December 07, 2010, 01:26:23 PM Oh my bad, I meant, wouldn't I lag when it sends the data? Like, I would lag for a few seconds when it is sending the few hundred K. Maybe. If you were using a 3600 baud Modem. (that's a no for all practical PURPOSES ) |
|
| 353. |
Solve : killgodzilla.exe made my windows not start? |
|
Answer» Okay, I was extremely hesitant at first, but I finally decided to do it for I couldn't find any other solutions. I would like to thank all of you for your opinions and dedication. Now that I have a fresh start, can you suggest me the best antivirus paid or unpaid in your opinion? Or any security updates you might have? I already have Malwarebyte install and up to date. I doubt Malwarebyte is sufficient, I also have Webroot spysweeper 2011. I have three internet browsers (the first time the virus made my computer can't go on either firefox or ie, but my cousins computer whose also was infected was able to get on google chrome and quickly got rid of the same virus). Thanks.I really like MicroSoft Security Essentials. do I have to unistall webroot spysweeper 2011? I think im going to go with comodo for the firewall. Sound good?No. You can keep WebRoot Spysweeper. I have MSE and Comodo also. Sound good. Since you're going to reformat don't worry about those findings from the scans.Your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help.thx for the reply, but i already done most of wat you said, i still get a virus call hn.exe usin eset online scanner and sdbot using webroot spysweeper 2011 even after quarentine and deletionI thought you were going to reformat your computer. Did you do that yet? Do you need instructions on how to do it?Oh, yeah sorry for the confusion, I did that of course. What I mean by "doing most" is that I didn't follow some of the unnessary procedures the guy commented. I have already reformated and those scans are showing. This can't be good. I don't see any symptoms yet though. Ok. Is it possible that you were infected again when you were downloading a new AV or something else? What I mean is did you go on-line with an unprotected computer?Yeah, I had to update my drivers and malwarebytes lol. but before that, I use eset online scanner before anything else and it picked up the hn.exe thing from c:/recyclerHere are my suggestions.
Please go to this link and follow the directions and post the required logs. Please post your logs in this link. I will lock this thread and we can start working with the new thread. |
|
| 354. |
Solve : Can't run programs or connect to internet? |
|
Answer» Still can't copy it, but now I'm asked to confirm overwriting NTLDR.
expand D:\I386\NTDETECT.COM C:\
Took a look at the CD itself, and found the problem I think. In tiny letters it says "This CD is not for reinstallation of programs or drivers." I should really pay more attention to these things If you can find a CD, that would be good. Try a local computer repair shop, and see if they will sell one to you. They rarely charge anything much.Okay, been a while since I posted here. It took me a long time to find a repair shop, then a while to get there. When I finally got there to ask about a NEW cd, I was offered the same one I already had. So, tinkering with the one I had, I managed to somehow get the recovery console to copy the files, but now it looks like boot.ini and hal.dll are missing,so I still can't boot the computer. I tried the same method to get them off the disk but it doesn't seem able to find them. (Sorry if this is considered a necropost.)This topic has gone on long enough. Please start a new topic. |
|
| 355. |
Solve : spyware on my computer.? |
|
Answer» Allan these are my logs. I know im repeating myself but i have never posted on a website before! I follwed all steps from cccleaner to hjt. Updated my java and removed old versions. A quick note i have been collecting superheroine videos and often download sample clips .could this be a way to get malware on my p.c.? It's possible but I'm not sure. AVG should flag anything that's infected but then no antivirus is 100% "bulletproof". dear evil just ran that rootkit scan everything ok thanx again Dennis.Sounds good. Safe surfing... |
|
| 356. |
Solve : PC Problems 2? |
|
Answer» I currently have an ongoing open thread (PC Problems) on this forum for my other computer. I am concerned that this computer has some type of virus/maleware problems too. The two COMPUTERS are networked together. 2 days ago AVG detected two threats and removed or quraintined them. Yesterday when I turned on the computer AVG detected and removed another threat. After that threat was removed, I was unable to connect to the internet with Internet EXPLORER. The only way I was able to get connected again was to reset Internet Explorer to the default settings. |
|
| 357. |
Solve : HELP! "Windows Security Alert" virus on my machine!? |
|
Answer» Hi, Can a system restore get rid of the virus? Or would it better to use an antivirus software?System Restore will not cure infections. In fact, some malware are also installed in System Restore just waiting to be RESURRECTED by the user hitting System Restore. If you go on-line without a good, up-to-date Anti-virus program you're really looking for trouble. |
|
| 358. |
Solve : Browser closes? |
|
Answer» When selecting a link from most mail and occasionally from just regular SITES my BROWSER closes down. If I go back to the same place and re-TRY the link EVERYTHING is FINE. No other issues with PC at all. Windows XP, Yahoo mail. Any thoughts?Try a different browser and report back. |
|
| 359. |
Solve : Unable to install anything? |
|
Answer» SysProt Antirootkit DOWNLOAD SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors). http://sites.google.com/site/sysprotantirootkit/ Unzip it into a folder on your desktop.
extracted to. Open the text file and copy/paste the log here. [/list] SysProt AntiRootkit v1.0.1.0 by swatkat ****************************************************************************************** ****************************************************************************************** No Hidden Processes found ****************************************************************************************** ****************************************************************************************** Kernel Modules: Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys Service Name: --- Module Base: 8D583000 Module END: 8D58E000 Hidden: Yes Module Name: \SystemRoot\System32\Drivers\dump_msahci.sys Service Name: --- Module Base: 8D58E000 Module End: 8D598000 Hidden: Yes Module Name: \??\C:\Users\DAVIDM~1\AppData\Local\Temp\mbr.sys Service Name: mbr Module Base: A8E5C000 Module End: A8E62000 Hidden: Yes Module Name: \??\C:\Users\DAVIDM~1\AppData\Local\Temp\catchme.sys Service Name: catchme Module Base: A8E62000 Module End: A8E6A000 Hidden: Yes Module Name: \??\C:\Windows\system32\Drivers\PROCEXP113.SYS Service Name: --- Module Base: A8E6A000 Module End: A8E6C000 Hidden: Yes ****************************************************************************************** ****************************************************************************************** No SSDT Hooks found ****************************************************************************************** ****************************************************************************************** No Kernel Hooks found ****************************************************************************************** ****************************************************************************************** Hidden files/folders: Object: C:\Qoobox\BackEnv\AppData.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Cache.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Cookies.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Desktop.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Favorites.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\History.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Music.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\NetHood.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Personal.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Pictures.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\PrintHood.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Profiles.Folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Programs.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\Recent.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\SendTo.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\SetPath.bat Status: Access denied Object: C:\Qoobox\BackEnv\StartMenu.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\StartUp.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\SysPath.dat Status: Access denied Object: C:\Qoobox\BackEnv\Templates.folder.dat Status: Access denied Object: C:\Qoobox\BackEnv\VikPev00 Status: Access denied Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Status: Access denied Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl Status: Access denied Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl Status: Access denied Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Status: Access denied That looks good. Now, I'd like to run this scan. I'd like to scan your machine with ESET OnlineScan •Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan •Click the button. •For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
•Click the button. •Accept any security warnings from your browser. •Check •Push the Start button. •ESET will then download UPDATES for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. •When the scan completes, push •Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. •Push the button. •Push A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt Hi Super Dave, I left the Scan running with a friend WHILST I popped out. He told me no threats were found and no log was produced. Is this possible? Thanks DavidQuote from: dgreen on November 05, 2010, 08:22:20 AM Hi Super Dave, Yes. How's your computer running? Any issues? |
|
| 360. |
Solve : Re-appearing Trojans? |
|
Answer» I couldn't get any password prompt on either website, they both showed a 'could not display' page. I COPY and pasted both links and clicked on the hyperlink which was just http://192.168/ and got the same result.Go to Start > Run, type in CMD and hit OK.
It may not post a log, if it didn't remove anything.I know the second one found 5 Malware but I'm not sure other than that. Please use Internet Explorer and run a BitDefender Online scan
ESET Online Scan Please run a free online scan with the ESET Online Scanner
I think my computer was accessed again a few days ago, there were web sites that neither my wife or myself has visited and some settings in Norton that had changed. We started to disconnect the internet while we're not using it and put a password on Norton. If you know of anything else we could do to make it more secure, it would be a huge help. ThanksThis topic has GONE on long enough. Please start a new topic. |
|
| 361. |
Solve : AV security trogan removal help please? |
|
Answer» Done. |
|
| 362. |
Solve : Different computer than the other listed. Acts the same. Results here. Replace?? |
|
Answer» When I went under add/remove, when removing Mcafee, I get 2 errors during the configuring process. Is there a different way to remove it, or how do I just disable it? I have 53.1 Gb used, 21.3 freePlease right click on My Computer, select Properties and tell me how much RAM you have. I have 1 GB of RAM.That's just about the minimum to run XP. Depending what else you run on that computer would put an extra load on the RAM. You could consider another gb of RAM. Download OTL to your Desktop
msconfig safebootminimal safebootnetwork activex drivers32 %SYSTEMDRIVE%\*.exe %systemroot%\*. /mp /s c:\$recycle.bin\*.* /s HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys nvstor32.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll explorer.exe svchost.exe userinit.exe qmgr.dll ws2_32.dll proquota.exe imm32.dll kernel32.dll ndis.sys autochk.exe spoolsv.exe xmlprov.dll ntmssvc.dll mswsock.dll Beep.SYS ntfs.sys termsrv.dll sfcfiles.dll st3shark.sys ahcix86.sys srsvc.dll nvrd32.sys /md5stop %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\DENNIS\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1,023.00 Mb Total Physical Memory | 376.00 Mb Available Physical Memory | 37.00% Memory free 1.00 Gb Paging File | 1.00 Gb Available in Paging File | 46.00% Paging File free Paging file location(s): C:\pagefile.sys 384 768 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 74.52 Gb Total Space | 21.00 Gb Free Space | 28.18% Space Free | Partition Type: NTFS Computer Name: THEDEN | User Name: DENNIS | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\] [HKEY_CURRENT_USER\SOFTWARE\Classes\] .html [@ = htmlfile] -- Reg Error: Key error. File not found ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft) Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft) Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr] "Start" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService] "Start" = 2 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002 "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "1525:UDP" = 1525:UDP:*:Enabled:Windows Media Format SDK (IEXPLORE.EXE) "1524:UDP" = 1524:UDP:*:Enabled:Windows Media Format SDK (IEXPLORE.EXE) ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\NetMeeting\conf.exe" = C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting® -- (Microsoft Corporation) "C:\Program Files\Abacast\Abaclient.exe" = C:\Program Files\Abacast\Abaclient.exe:*:Enabled:Abaclient -- (Abacast, Inc.) "C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation) "C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.) "C:\Program Files\AVG\AVG10\avgdiagex.exe" = C:\Program Files\AVG\AVG10\avgdiagex.exe:*:Enabled:AVG Diagnostics 2011 -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\AVG\AVG10\avgnsx.exe" = C:\Program Files\AVG\AVG10\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\AVG\AVG10\avgemcx.exe" = C:\Program Files\AVG\AVG10\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{08D5F667-E1D7-4792-9FFD-5888C8D4A0DF}" = Garmin Training Center "{0A5825FD-0FB7-4e45-9037-858D463F2943}" = BPDSoftware "{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics "{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = TOOLBOX "{11B83AD3-7A46-4C2E-A568-9505981D4C6F}" = HP Update "{16BE87BC-69F5-4D36-8CF0-E1CB3ACD5ED3}" = HP Driver Diagnostics "{17424F35-8B77-4ADF-BC63-BF9B81418539}" = Apple Application Support "{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService "{195F2C6C-A343-4b10-B1A4-3F00AB9E9DD9}" = Fax "{1B4A246D-3F30-45DA-ABFF-FF5C768F9A74}" = Peachtree Complete Accounting 2004 "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(TM) 6 Update 22 "{2951A232-69BA-4925-BB9A-CEEB72B18B4F}" = BPDSoftware_Ini "{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support "{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{398E8625-6F3A-4C54-B54C-28F0ABB89774}" = BPD_HPSU "{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel "{3D047C15-C859-45F7-81CE-F2681778069B}" = iPod for Windows 2006-01-10 "{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis "{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR "{46DDF76F-ACD4-42BC-B48F-B89C4EE2E1A9}" = Easy CD & DVD Creator 6 "{49672EC2-171B-47B4-8CE7-50D7806360D7}" = Windows Live Sign-in Assistant "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter "{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup 2011 "{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC "{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery "{572F2A62-70CD-4429-8758-6D4D6DC696E1}" = 4500_Help "{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp "{5AD96CF5-2627-4F29-9D2D-72FCD85F6355}" = AVG 2011 "{5BB4D7C1-52F2-4BFD-9E40-0D419E2E3021}" = bpd_scan "{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2 "{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers "{6697D99E-E550-4498-B793-4A8DD8A1821F}" = ProductContext "{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder "{679EC478-3FF9-4987-B2FF-C2C2B27532A2}" = DocProc "{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm "{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan "{87AEFD84-BC0D-11D4-B885-00508B022A51}" = McAfee VirusScan "{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12 "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007 "{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office EXCEL MUI (English) 2007 "{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007 "{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007 "{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007 "{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007 "{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007 "{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007 "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007 "{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007 "{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007 "{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007 "{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007 "{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007 "{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007 "{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581) "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9E0FB790-5971-41F3-A1C3-1CF9E153FF2A}" = McAfee Firewall "{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status "{A23061AF-5361-433C-B7F0-CE5F79A22C49}" = AVG 2011 "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder "{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0 "{B4FEA924-630D-11D4-B78E-005004566E4D}" = ViewSonic Monitor Drivers "{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply "{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5 "{BD57EA4D-026E-4F08-9B93-080E282B81FE}" = iPod for Windows 2006-06-28 "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver "{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update "{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CB706270-54EA-4E48-9FFB-0B95FA04DBE6}" = bodybugg Software "{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg "{CD0773D5-C18E-495c-B39B-21A96415EDD5}" = HP Officejet J4500 Series "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D142FE39-3386-4d82-9AD3-36D4A92AC3C2}" = DocMgr "{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch "{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component "{DC2FA8DF-25B8-49AC-AEA7-6F4489CC04F7}" = bodybugg Software "{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01 "{E3B67FB4-F425-40E5-BDDA-7CD494202022}" = MPIO Software Installation "{E56D39F8-2A9F-44B4-B068-A72E45A073E6}" = Safari "{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime "{E8843212-F0FC-4C3B-BFF3-D51829CB4F19}" = iTunes "{EE68B852-C4C7-42CC-B664-92BBBFAA7FEE}" = Garmin Training Center "{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer "{FDEC11CC-4BD6-4a8c-A398-3CCD8E43EACA}" = J4500 "{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour "49CF605F02C7954F4E139D18828DE298CD59217 C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0) "Abacast CLIENT" = Abacast Client "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "AudibleDownloadManager" = Audible Download MANAGER "AVG" = AVG 2011 "AviSynth" = AviSynth 2.5 "Boly Camera" = Remove Boly Media Digital Camera "CCleaner" = CCleaner "CleanUp!" = CleanUp! "C-Media Audio Driver" = C-Media WDM Audio Driver "Coupon Printer for Windows4.0" = Coupon Printer for Windows "DECCHECK" = Microsoft Windows XP Video Decoder Checkup Utility "Device Control" = Device Control "EasyLinkAdvisor" = Linksys EasyLink Advisor 1.5 (1044) "EAX" = Creative EAX Console "ENTERPRISER" = Microsoft Office Enterprise 2007 "ESET Online Scanner" = ESET Online Scanner v3 "HP Document Manager" = HP Document Manager 1.0 "HP Imaging Device Functions" = HP Imaging Device Functions 10.0 "HP Photo Printing Software" = HP Photo Printing Software "HP Photosmart Essential" = HP Photosmart Essential 2.5 "hp psc 900 series 1077747186" = hp psc 900 series "HP Smart Web Printing" = HP Smart Web Printing "HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0 "HPExtendedCapabilities" = HP Customer Participation Program 10.0 "HPOCR" = OCR Software by I.R.I.S. 10.0 "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie7" = Windows Internet Explorer 7 "ie8" = Windows Internet Explorer 8 "InFlac" = InFlac 1.1.1 "InstallShield_{1B4A246D-3F30-45DA-ABFF-FF5C768F9A74}" = Peachtree Complete Accounting 2004 "InstallShield_{3D047C15-C859-45F7-81CE-F2681778069B}" = iPod for Windows 2006-01-10 "InstallShield_{BD57EA4D-026E-4F08-9B93-080E282B81FE}" = iPod for Windows 2006-06-28 "InstallShield_{CB706270-54EA-4E48-9FFB-0B95FA04DBE6}" = bodybugg Software "InstallShield_{DC2FA8DF-25B8-49AC-AEA7-6F4489CC04F7}" = bodybugg Software "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Mozilla Firefox (3.6." = Mozilla Firefox (3.6. "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "NVIDIA Drivers" = NVIDIA Drivers "Paradise Poker" = Paradise Poker "PC Tools Firewall Plus" = PC Tools Firewall Plus 6.0 "PCI Audio Driver" = PCI Audio Driver "Pop-Up Stopper Free Edition" = Pop-Up Stopper Free Edition "Shop for HP Supplies" = Shop for HP Supplies "SiSLan" = SiS 900 PCI Fast Ethernet Adapter Driver "Smart Defrag_is1" = Smart Defrag "SMC Barricade Print Server Monitor" = SMC Barricade Print Server Monitor "SPEAKER" = Creative Speaker Settings "Spyware Doctor" = Spyware Doctor 8.0 "Stamps.com Internet Postage" = Stamps.com Internet Postage "Winamp" = Winamp "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 3 "WinZip" = WinZip "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 "Yahoo! Companion" = Yahoo! Toolbar "YDKJ" = YOU DON'T KNOW JACK V1.0 "YInstHelper" = Yahoo! Install Manager ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Facebook Plug-In" = Facebook Plug-In "Sportsbook.com" = Sportsbook.com ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 11/13/2010 7:28:45 PM | Computer Name = THEDEN | Source = Bonjour Service | ID = 100 Description = 440: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.) Error - 11/14/2010 3:46:31 PM | Computer Name = THEDEN | Source = Bonjour Service | ID = 100 Description = 404: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.) Error - 11/15/2010 1:22:45 AM | Computer Name = THEDEN | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list SEQUENCE number from: with error: This operation returned because the timeout period expired. Error - 11/15/2010 1:22:45 AM | Computer Name = THEDEN | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: with error: The specified server cannot perform the requested operation. Error - 11/15/2010 4:26:35 PM | Computer Name = THEDEN | Source = Bonjour Service | ID = 100 Description = 384: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.) Error - 11/24/2010 4:56:03 PM | Computer Name = THEDEN | Source = MsiInstaller | ID = 11316 Description = Product: McAfee VirusScan -- Error 1316.A network error occurred while attempting to read from the file C:\WINDOWS\Installer\VSCAN60.msi Error - 11/24/2010 4:56:39 PM | Computer Name = THEDEN | Source = MsiInstaller | ID = 11316 Description = Product: McAfee VirusScan -- Error 1316.A network error occurred while attempting to read from the file C:\WINDOWS\Installer\VSCAN60.msi Error - 11/24/2010 4:56:58 PM | Computer Name = THEDEN | Source = Application Hang | ID = 1002 Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error - 11/24/2010 4:57:08 PM | Computer Name = THEDEN | Source = Application Hang | ID = 1001 Description = Fault bucket 734562961. Error - 11/27/2010 8:49:15 PM | Computer Name = THEDEN | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: with error: This operation returned because the timeout period expired. [ OSession Events ] Error - 5/27/2010 5:42:41 AM | Computer Name = THEDEN | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 39849 seconds with 2160 seconds of active time. This session ended with a crash. [ System Events ] Error - 11/26/2010 3:18:34 PM | Computer Name = THEDEN | Source = Service Control Manager | ID = 7000 Description = The AVSync Manager service failed to start due to the following error: %%3 Error - 11/26/2010 3:20:43 PM | Computer Name = THEDEN | Source = Service Control Manager | ID = 7022 Description = The HP CUE DeviceDiscovery Service service hung on starting. Error - 11/26/2010 7:33:10 PM | Computer Name = THEDEN | Source = Service Control Manager | ID = 7000 Description = The AVSync Manager service failed to start due to the following error: %%3 Error - 11/26/2010 7:35:19 PM | Computer Name = THEDEN | Source = Service Control Manager | ID = 7022 Description = The HP CUE DeviceDiscovery Service service hung on starting. Error - 11/27/2010 7:35:24 PM | Computer Name = THEDEN | Source = Service Control Manager | ID = 7000 Description = The AVSync Manager service failed to start due to the following error: %%3 Error - 11/27/2010 7:37:24 PM | Computer Name = THEDEN | Source = Service Control Manager | ID = 7022 Description = The HP CUE DeviceDiscovery Service service hung on starting. Error - 11/27/2010 8:56:12 PM | Computer Name = THEDEN | Source = Service Control Manager | ID = 7000 Description = The AVSync Manager service failed to start due to the following error: %%3 Error - 11/27/2010 8:58:10 PM | Computer Name = THEDEN | Source = Service Control Manager | ID = 7022 Description = The HP CUE DeviceDiscovery Service service hung on starting. Error - 11/28/2010 1:33:24 PM | Computer Name = THEDEN | Source = Service Control Manager | ID = 7000 Description = The AVSync Manager service failed to start due to the following error: %%3 Error - 11/28/2010 1:35:30 PM | Computer Name = THEDEN | Source = Service Control Manager | ID = 7022 Description = The HP CUE DeviceDiscovery Service service hung on starting. < End of report > OTL logfile created on: 11/28/2010 11:18:16 PM - Run 1 OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\DENNIS\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1,023.00 Mb Total Physical Memory | 376.00 Mb Available Physical Memory | 37.00% Memory free 1.00 Gb Paging File | 1.00 Gb Available in Paging File | 46.00% Paging File free Paging file location(s): C:\pagefile.sys 384 768 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 74.52 Gb Total Space | 21.00 Gb Free Space | 28.18% Space Free | Partition Type: NTFS Computer Name: THEDEN | User Name: DENNIS | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2010/11/28 23:16:57 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DENNIS\Desktop\OTL.exe PRC - [2010/11/10 19:08:04 | 000,724,048 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe PRC - [2010/11/10 19:08:02 | 006,127,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe PRC - [2010/10/27 05:15:24 | 001,073,504 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe PRC - [2010/10/27 05:14:50 | 001,047,904 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgemcx.exe PRC - [2010/10/22 04:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe PRC - [2010/10/22 04:57:54 | 002,745,696 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe PRC - [2010/10/22 04:57:38 | 000,652,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe PRC - [2010/10/22 04:56:58 | 000,845,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgcsrvx.exe PRC - [2010/10/22 04:56:56 | 000,647,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe PRC - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe PRC - [2010/10/08 10:21:30 | 000,750,920 | ---- | M] (AVG) -- C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe PRC - [2010/09/29 15:00:56 | 001,588,184 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Security\pctsGui.exe PRC - [2010/09/29 15:00:56 | 001,145,304 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Security\pctsSvc.exe PRC - [2010/03/15 13:02:36 | 000,366,840 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Security\pctsAuxs.exe PRC - [2010/01/12 10:41:00 | 003,168,216 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe PRC - [2009/12/17 13:54:40 | 001,795,488 | ---- | M] (Audible, Inc.) -- C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe PRC - [2009/11/09 10:20:14 | 000,818,432 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Firewall Plus\FWService.exe PRC - [2009/04/10 11:29:08 | 000,037,888 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe PRC - [2008/08/13 14:34:08 | 001,891,416 | ---- | M] (GARMIN Corp.) -- C:\Program Files\Garmin\gStart.exe PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2006/10/30 11:01:16 | 000,392,832 | ---- | M] (Linksys, a Division of Cisco Systems, Inc.) -- C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe ========== Modules (SafeList) ========== MOD - [2010/11/28 23:16:57 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DENNIS\Desktop\OTL.exe MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll MOD - [2010/08/04 12:19:26 | 000,150,576 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Security\PCTGMhk.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ) SRV - File not found [Auto | Stopped] -- C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe -- (AvSynMgr) SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt) SRV - [2010/11/10 19:08:02 | 006,127,184 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent) SRV - [2010/10/22 04:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd) SRV - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device) SRV - [2010/09/29 15:00:56 | 001,145,304 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\PC Tools Security\pctsSvc.exe -- (sdCoreService) SRV - [2010/03/15 13:02:36 | 000,366,840 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\PC Tools Security\pctsAuxs.exe -- (sdAuxService) SRV - [2009/11/09 10:20:14 | 000,818,432 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\PC Tools Firewall Plus\FWService.exe -- (PCToolsFirewallPlus) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\Pcouffin.sys -- (Pcouffin) DRV - [2010/11/13 16:13:32 | 000,044,288 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\unzipped\SysProt\SysProt\SysProtDrv.sys -- (SysProtDrv.sys) DRV - [2010/11/09 22:20:58 | 000,299,984 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix) DRV - [2010/10/05 10:11:12 | 000,123,712 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pctplfw.sys -- (pctplfw) DRV - [2010/10/05 10:10:56 | 000,249,616 | ---- | M] (PC Tools) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pctgntdi.sys -- (pctgntdi) DRV - [2010/09/30 07:58:32 | 000,159,936 | ---- | M] (PC Tools) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PCTAppEvent.sys -- (PCTAppEvent) DRV - [2010/09/13 16:27:24 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH) DRV - [2010/09/07 03:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86) DRV - [2010/09/07 03:48:54 | 000,249,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86) DRV - [2010/09/07 03:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86) DRV - [2010/09/03 11:28:54 | 000,087,400 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pctNdis-PacketFilter.sys -- (PCTFW-PacketFilter) DRV - [2010/08/19 21:42:38 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter) DRV - [2010/08/19 21:42:36 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver) DRV - [2010/08/19 21:42:34 | 000,026,192 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim) DRV - [2010/08/18 12:51:26 | 000,237,632 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore) DRV - [2010/08/10 16:58:50 | 000,056,536 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pctNdis.sys -- (pctNDIS) DRV - [2010/07/16 13:59:54 | 000,656,320 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pctEFA.sys -- (pctEFA) DRV - [2010/07/16 13:59:54 | 000,338,880 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\pctDS.sys -- (pctDS) DRV - [2010/05/10 12:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL) DRV - [2010/02/17 12:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV) DRV - [2008/11/03 15:34:08 | 000,071,488 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftser2k.sys -- (FTSER2K) DRV - [2008/11/03 15:34:08 | 000,053,184 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftdibus.sys -- (FTDIBUS) DRV - [2008/08/20 11:58:58 | 000,009,200 | ---- | M] (Sonic Solutions) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k) DRV - [2008/08/20 11:58:58 | 000,009,072 | ---- | M] (Sonic Solutions) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp) DRV - [2008/04/13 12:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum) DRV - [2008/04/13 12:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp) DRV - [2008/02/09 18:47:35 | 000,028,672 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\goprot51.sys -- (GoProto) DRV - [2007/06/15 02:47:26 | 001,127,936 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\P17.sys -- (P17) DRV - [2006/03/20 17:34:56 | 001,452,032 | ---- | M] (Sensaura) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\p17filt.sys -- (p17filt) DRV - [2005/01/10 10:15:30 | 000,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv) DRV - [2005/01/10 10:15:24 | 000,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k) DRV - [2004/08/03 22:31:20 | 000,036,224 | ---- | M] (ADMtek Incorporated.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\an983.sys -- (AN983) DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv) DRV - [2004/08/03 21:31:36 | 000,032,768 | R--- | M] (SiS Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC) DRV - [2004/06/09 08:29:56 | 000,006,977 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\DDMI2.sys -- (SDDMI2) DRV - [2003/08/04 15:27:30 | 000,020,796 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus) DRV - [2003/06/25 00:18:48 | 000,213,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\UdfReadr_xp.sys -- (UdfReadr_xp) DRV - [2003/06/25 00:18:48 | 000,146,560 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\DVDVRRdr_xp.sys -- (DVDVRRdr_xp) DRV - [2003/06/25 00:18:46 | 000,259,328 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\Cdudf_xp.sys -- (cdudf_xp) DRV - [2003/06/25 00:18:46 | 000,118,409 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k) DRV - [2003/06/25 00:18:46 | 000,022,745 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K) DRV - [2003/06/25 00:18:46 | 000,021,993 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K) DRV - [2002/01/28 19:43:14 | 000,370,382 | R--- | M] (C-Media Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cmaudio.sys -- (cmpci) C-Media PCI Audio Driver (WDM) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "http://go.microsoft.com/fwlink/?linkid=677" FF - prefs.js..extensions.enabledItems: [emailprotected]:1.0 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1167 FF - prefs.js..network.proxy.no_proxies_on: "*.local" FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG10\Firefox\ [2010/11/25 11:00:27 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/23 15:28:38 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/13 15:08:48 | 000,000,000 | ---D | M] [2009/04/13 13:49:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DENNIS\Application Data\Mozilla\Extensions [2010/11/28 23:12:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DENNIS\Application Data\Mozilla\Firefox\Profiles\lt56z74s.default\extensions [2009/09/03 10:13:21 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\DENNIS\Application Data\Mozilla\Firefox\Profiles\lt56z74s.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010/02/04 16:45:40 | 000,002,254 | ---- | M] () -- C:\Documents and Settings\DENNIS\Application Data\Mozilla\Firefox\Profiles\lt56z74s.default\searchplugins\askcom.xml [2010/11/28 23:12:03 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2010/10/14 21:34:49 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [2010/09/15 03:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll O1 HOSTS File: ([2010/11/09 23:09:55 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.) O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.) O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) O4 - HKLM..\Run: [00PCTFW] C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe (PC Tools) O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.) O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.) O4 - HKLM..\Run: [ISTray] C:\Program Files\PC Tools Security\pctsGui.exe (PC Tools) O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe () O4 - HKCU..\Run: [EasyLinkAdvisor] C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.) O4 - HKCU..\Run: [gStart] C:\Program Files\Garmin\gStart.exe (GARMIN Corp.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Audible, Inc.) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O15 - HKCU\..Trusted Domains: facebook.com ([]https in Trusted sites) O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} http://esupport.sony.com/VaioInfo.CAB (VaioInfo.CMClass) O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative.com/su/ocx/15026/CTSUEng.cab (Creative Software AutoUpdate) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (Windows Genuine Advantage Validation Tool) O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab (VerifyGMN Class) O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class) O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.) O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab (DeviceEnum Class) O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38021.7784143519 (Reg Error: Key error.) O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab (Crucial cpcScan) O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} http://download.abacast.com/download/files/abasetup163.cab (Reg Error: Key error.) O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative.com/su/ocx/15029/CTPID.cab (Creative Software AutoUpdate Support Package) O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com) O24 - Desktop Components:0 () - http://player.xmradio.com/player/_media/headbg.gif O24 - Desktop Components:1 () - http://www.xmradio.com/images/global/xm_logo.gif O24 - Desktop Components:2 (My Current Home Page) - About:Home O24 - Desktop WallPaper: C:\Documents and Settings\DENNIS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\DENNIS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2007/04/13 15:15:59 | 000,000,119 | ---- | M] () - C:\AUTOEXEC.BAK -- [ NTFS ] O32 - AutoRun File - [2007/04/13 15:15:59 | 000,000,196 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.) O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found NetSvcs: Ias - File not found NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp psc 900 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe - (Hewlett-Packard Co.) MsConfig - StartUpFolder: C:^Documents and Settings^DENNIS^Start Menu^Programs^Startup^PowerReg Scheduler.exe - C:\Documents and Settings\DENNIS\Start Menu\Programs\Startup\PowerReg Scheduler.exe - File not found MsConfig - StartUpReg: C-Media Mixer - hkey= - key= - C:\WINDOWS\mixer.exe (C-Media Electronic Inc. (www.cmedia.com.tw)) MsConfig - StartUpReg: CM-SmWizard - hkey= - key= - C:\WINDOWS\system\SmWizard.exe (C-Media Electronics Inc.) MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found MsConfig - StartUpReg: GrooveMonitor - hkey= - key= - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation) MsConfig - StartUpReg: HP Software Update - hkey= - key= - Reg Error: Value error. File not found MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.) MsConfig - StartUpReg: NvCplDaemon - hkey= - key= - File not found MsConfig - StartUpReg: NvMediaCenter - hkey= - key= - File not found MsConfig - StartUpReg: nwiz - hkey= - key= - File not found MsConfig - StartUpReg: P17Helper - hkey= - key= - File not found MsConfig - StartUpReg: PopUpStopperFreeEdition - hkey= - key= - C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe (Panicware, Inc.) MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.) MsConfig - StartUpReg: RoxioAudioCentral - hkey= - key= - C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe (Roxio, Inc.) MsConfig - StartUpReg: RoxioDragToDisc - hkey= - key= - C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe (Roxio) MsConfig - StartUpReg: RoxioEngineUtility - hkey= - key= - C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe (Roxio) MsConfig - StartUpReg: SiSUSBRG - hkey= - key= - C:\WINDOWS\SiSUSBrg.exe (Silicon Integrated Systems Corp.) MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - Reg Error: Value error. File not found MsConfig - State: "system.ini" - 0 MsConfig - State: "win.ini" - 0 MsConfig - State: "bootini" - 0 MsConfig - State: "services" - 0 MsConfig - State: "startup" - 1 SafeBootMin: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found SafeBootMin: Base - Driver Group SafeBootMin: Boot Bus Extender - Driver Group SafeBootMin: Boot file system - Driver Group SafeBootMin: File system - Driver Group SafeBootMin: Filter - Driver Group SafeBootMin: PCI Configuration - Driver Group SafeBootMin: PNP Filter - Driver Group SafeBootMin: Primary disk - Driver Group SafeBootMin: SCSI Class - Driver Group SafeBootMin: sermouse.sys - Driver SafeBootMin: System Bus Extender - Driver Group SafeBootMin: vds - Service SafeBootMin: vga.sys - Driver SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices SafeBootNet: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found SafeBootNet: Base - Driver Group SafeBootNet: Boot Bus Extender - Driver Group SafeBootNet: Boot file system - Driver Group SafeBootNet: File system - Driver Group SafeBootNet: Filter - Driver Group SafeBootNet: NDIS Wrapper - Driver Group SafeBootNet: NetBIOSGroup - Driver Group SafeBootNet: NetDDEGroup - Driver Group SafeBootNet: Network - Driver Group SafeBootNet: NetworkProvider - Driver Group SafeBootNet: PCI Configuration - Driver Group SafeBootNet: PNP Filter - Driver Group SafeBootNet: PNP_TDI - Driver Group SafeBootNet: Primary disk - Driver Group SafeBootNet: SCSI Class - Driver Group SafeBootNet: sermouse.sys - Driver SafeBootNet: Streams Drivers - Driver Group SafeBootNet: System Bus Extender - Driver Group SafeBootNet: TDI - Driver Group SafeBootNet: vga.sys - Driver SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices ActiveX: {0291E591-EA41-4c82-8106-3DC6CE7F7664} - Reg Error: Value error. ActiveX: {0E92DD42-76F5-4EF2-B381-F9C1D72BE23D} - Security Update for Microsoft .NET Framework 2.0 (KB922770) ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML) ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4 ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906) ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ActiveX: {2F6EFCE6-10DF-49F9-9E64-9AE3775B2588} - Microsoft .NET Framework 1.1 Security Update (KB2416447) ActiveX: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - Reg Error: Value error. ActiveX: {347B0667-C7ED-429B-BDE3-CC8D3BACAA31} - Reg Error: Value error. ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460) ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015C} - Microsoft DirectX ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8 ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install ActiveX: {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} - Security Update for Microsoft .NET Framework 2.0 (KB928365) ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding ActiveX: {967B098A-042D-4367-BAC9-8BC11684174F} - Security Update for Microsoft .NET Framework 2.0 (KB917283) ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1 ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Reg Error: Value error. ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface ActiveX: {eddbec60-89cb-44ef-8291-0850fd28ff6a} - Q832894 ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate ActiveX: {F5776D81-AE53-4935-8E84-B0B283D8BCEF} - Q330994 ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe AcAnd also I thought my board could only take 1 GB of memory Guaranteed-compatible memory upgrades for your Elite Group (ECS) K7S5A (Rev 3.X) Motherboard . We were not able to determine the manufacturer and/or model of your PC, but we were able to complete our scan with information from your motherboard. Scan Id: 16E4010631D926C3 Your Elite Group (ECS) K7S5A (Rev 3.X) Specifications Currently installed memory: 512MBDDR PC3200 512MBDDR PC3200 Each memory slot can hold DDR PC3200, DDR PC2700, SDRAM, PC133 with a maximum of 512MB per slot.* *Not to exceed manufacturer supported memory. Maximum Memory Capacity: 1024MB Currently Installed Memory: 1GB Available Memory Slots: 0 Total Memory Slots: 2 Dual Channel Support: No CPU Manufacturer: AuthenticAMD CPU Family: AMD Athlon(tm) XP 1800+ Model 8, Stepping 1 CPU Speed: 1493 MHz Ok. You're stuck with 1 Gb. Please try this: Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.OK, I'll download that. Can you make anything out from the logs I sent? All the logs look ok. Please run ESET again as instructed in Reply #8 and see what it finds. |
|
| 363. |
Solve : svchost.exe grabs CPU & memory; browser gets redirected? |
|
Answer» I'm not finding that file in that location. |
|
| 364. |
Solve : Computer slow to respond, freq freezes. Here are results? |
|
Answer» Here are the RESULTS, 4 infections |
|
| 365. |
Solve : TR/FakeSpyPro6? |
|
Answer» SysProt AntiRootkit v1.0.1.0
•Click the button. •Accept any security warnings from your browser. •Check •Push the Start button. •ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. •When the scan completes, push •Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. •Push the button. •Push A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt It's working but i haven't tried IE on that login . Other programs will RUN ok. C:\Documents and Settings\Mike\Local Settings\Application Data\syssvc.exeWin32/PSW.Delf.NQS trojan C:\Qoobox\Quarantine\C\WINDOWS\system32\cfbxrttn.ini.virWin32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\system32\qeoroqre.ini.virWin32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{8D4B012C-17CB-4D5E-B44D-75EF458DEC16}\RP697\A0145270.exeWin32/PSW.Delf.NQS trojan C:\System Volume Information\_restore{8D4B012C-17CB-4D5E-B44D-75EF458DEC16}\RP699\A0146805.iniWin32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{8D4B012C-17CB-4D5E-B44D-75EF458DEC16}\RP699\A0146806.iniWin32/Adware.Virtumonde.NEO application Tried Firefox on that login and it wouldn't run. Error message "Set up for proxy server no connection"Please run the ESET scan again and, this time, fix the infections. Remove the Proxy setting in Internet Explorer and/or in FireFox. In Internet Explorer
Thanks.C:\Qoobox\Quarantine\C\WINDOWS\system32\cfbxrttn.ini.virWin32/Adware.Virtumonde.NEO applicationcleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\qeoroqre.ini.virWin32/Adware.Virtumonde.NEO applicationcleaned by deleting - quarantined C:\System Volume Information\_restore{8D4B012C-17CB-4D5E-B44D-75EF458DEC16}\RP697\A0145270.exeWin32/PSW.Delf.NQS trojancleaned by deleting - quarantined C:\System Volume Information\_restore{8D4B012C-17CB-4D5E-B44D-75EF458DEC16}\RP699\A0146805.iniWin32/Adware.Virtumonde.NEO applicationcleaned by deleting - quarantined C:\System Volume Information\_restore{8D4B012C-17CB-4D5E-B44D-75EF458DEC16}\RP699\A0146806.iniWin32/Adware.Virtumonde.NEO applicationcleaned by deleting - quarantined C:\System Volume Information\_restore{8D4B012C-17CB-4D5E-B44D-75EF458DEC16}\RP703\A0148602.exeWin32/PSW.Delf.NQS trojancleaned by deleting - quarantined Ok that seems to have everything back to normal. Java updated, firewall installed, Firefox updated, windows messenger removed, recovery console installed, Viewpoint removed.......... Just 1 more question. How many of these new programs should I keep? Thanks so much for your help. Mike.Quote Just 1 more question. How many of these new programs should I keep?You can uninstall HJT but you may keep SAS and MBAM. Update them and run them regularly. * Click START then RUN - Vista users press the Windows Key and the R keys together for the Run box. * Now type commy /uninstall in the runbox * Make sure there's a space between commy and /Uninstall * Then hit Enter * The above procedure will: * Delete the following: * ComboFix and its associated files and folders. * Reset the clock settings. * Hide file extensions, if required. * Hide System/Hidden files, if required. * Set a new, clean Restore Point. ******************************* Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the CLEANING process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. ************************************ Looking over your log it seems you don't have any evidence of a second-party firewall. Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors. Remember only install ONE firewall 1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one) 2) Online Armor 3) Agnitum Outpost 4) PC Tools Firewall Plus If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP CONTAINS a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time. ************************************************************* Use the Secunia Software Inspector to check for out of date software. •Click Start Now •Check the box next to Enable thorough system inspection. •Click Start •Allow the scan to finish and scroll down to see if any updates are needed. •Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly. Safe Surfing!Thanks Dave. Will follow your suggestions and I HAVE installed Online Armor Firewall. |
|
| 366. |
Solve : Computer possibly compromised? |
|
Answer» Seems my COMPUTER, as well as a few other computers of people at an office I do work at, have been compromised. There has been access to my Gmail account from China (according to a message to me from Gmail) in the past few days, my Warcraft account has been hacked, and two other people I know at this office have had their Hotmail accounts accessed and used to spam people in their contacts in the last two days.
Code: [Select]ComboFix 10-04-21.01 - Noah 04/25/2010 8:09.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.1548 [GMT 7:00] Running from: c:\users\Noah\Desktop\combo-fix.exe Command switches used :: /stepdel SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\$recycle.bin\S-1-5-21-2299539283-4137082352-299996081-500 c:\$recycle.bin\S-1-5-21-2663311255-305293875-2490082889-500 c:\$recycle.bin\S-1-5-21-2299539283-4137082352-299996081-500\desktop.ini c:\$recycle.bin\S-1-5-21-2663311255-305293875-2490082889-500\desktop.ini c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk c:\windows\system32\KBL.LOG . ((((((((((((((((((((((((( Files Created from 2010-03-25 to 2010-04-25 ))))))))))))))))))))))))))))))) . 2010-04-25 01:23 . 2010-04-25 01:23 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-04-24 04:32 . 2010-04-24 04:32 -------- d-----w- c:\users\Noah\AppData\Roaming\Malwarebytes 2010-04-24 04:32 . 2010-03-29 17:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-24 04:31 . 2010-04-24 04:31 -------- d-----w- c:\programdata\Malwarebytes 2010-04-24 04:31 . 2010-04-24 04:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-24 04:31 . 2010-03-29 17:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-24 01:29 . 2010-04-24 01:29 52224 ----a-w- c:\users\Noah\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-04-24 01:29 . 2010-04-24 01:29 117760 ----a-w- c:\users\Noah\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-04-24 01:28 . 2010-04-24 01:28 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2010-04-24 01:27 . 2010-04-24 01:27 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-04-24 01:27 . 2010-04-24 01:27 -------- d-----w- c:\users\Noah\AppData\Roaming\SUPERAntiSpyware.com 2010-04-16 05:32 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys 2010-04-16 05:32 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-04-16 05:32 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys 2010-04-16 05:32 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-04-16 05:32 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-04-16 05:31 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-04-16 05:29 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll 2010-04-16 05:28 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll 2010-04-16 05:28 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys 2010-04-16 05:28 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys 2010-04-16 05:27 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll 2010-04-10 03:06 . 2010-04-10 03:06 -------- d-----w- c:\windows\system32\Adobe 2010-04-05 04:01 . 2010-04-05 04:01 -------- d-----w- c:\program files\MagicISO 2010-04-05 02:14 . 2010-04-05 02:14 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment 2010-03-29 09:09 . 2010-04-02 01:31 -------- d-----w- c:\users\Noah\AppData\Roaming\skypePM 2010-03-29 09:04 . 2010-04-02 01:32 -------- d-----w- c:\users\Noah\AppData\Roaming\Skype 2010-03-29 09:02 . 2010-04-02 01:39 -------- d-----w- c:\programdata\Skype . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-24 05:39 . 2009-10-30 01:46 111336 ----a-w- c:\programdata\nvModes.dat 2010-04-24 01:26 . 2009-11-06 01:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-04-23 03:46 . 2009-11-23 02:14 -------- d-----w- c:\users\Noah\AppData\Roaming\Free Download Manager 2010-04-23 03:46 . 2009-10-16 02:06 -------- d-----w- c:\programdata\Kaspersky Lab 2010-04-18 06:15 . 2009-11-29 05:12 -------- d-----w- c:\users\Noah\AppData\Roaming\vlc 2010-04-18 04:52 . 2010-02-22 05:05 -------- d-----w- c:\users\Noah\AppData\Roaming\dvdcss 2010-04-17 05:26 . 2008-03-07 18:15 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-04-16 05:33 . 2008-03-07 18:56 -------- d-----w- c:\programdata\Microsoft Help 2010-04-16 02:37 . 2009-12-06 03:24 -------- d-----w- c:\program files\Google 2010-04-05 04:03 . 2009-10-16 03:20 -------- d-----w- c:\users\Noah\AppData\Roaming\uTorrent 2010-04-02 09:27 . 2008-07-19 08:52 12 ----a-w- c:\windows\bthservsdp.dat 2010-04-02 01:36 . 2008-03-07 20:04 -------- d-----w- c:\program files\Java 2010-03-29 09:09 . 2010-03-29 09:09 56 ---ha-w- c:\programdata\ezsidmv.dat 2010-03-29 01:14 . 2009-12-19 09:31 680 ----a-w- c:\users\Noah\AppData\Local\d3d9caps.dat 2010-03-21 02:49 . 2010-03-21 02:49 -------- d-----w- c:\program files\IObit 2010-03-09 06:45 . 2008-07-19 09:15 -------- d-----w- c:\programdata\WildTangent 2010-03-09 06:38 . 2009-11-06 01:57 -------- d-----w- c:\programdata\Media Center Programs 2010-03-08 21:28 . 2010-01-21 04:36 411368 ----a-w- c:\windows\system32\deploytk.dll 2010-02-24 03:16 . 2009-10-16 02:21 181632 ------w- c:\windows\system32\MpSigStub.exe 2010-02-23 06:39 . 2010-04-02 01:52 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-23 06:33 . 2010-04-02 01:52 71680 ----a-w- c:\windows\system32\iesetup.dll 2010-02-23 06:33 . 2010-04-02 01:52 109056 ----a-w- c:\windows\system32\iesysprep.dll 2010-02-23 04:55 . 2010-04-02 01:52 133632 ----a-w- c:\windows\system32\ieUnatt.exe 2010-02-20 23:06 . 2010-03-11 05:42 24064 ----a-w- c:\windows\system32\nshhttp.dll 2010-02-20 23:05 . 2010-03-11 05:42 30720 ----a-w- c:\windows\system32\httpapi.dll 2010-02-20 20:53 . 2010-03-11 05:42 411648 ----a-w- c:\windows\system32\drivers\http.sys 2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr 2009-02-27 18:47 . 2009-10-16 16:47 22 --sha-w- c:\windows\SMINST\HPCD.SYS 2009-11-13 05:37 . 2009-10-16 02:06 4634144 --sha-w- c:\windows\System32\drivers\fidbox.dat 2009-11-13 05:37 . 2009-10-16 02:06 745504 --sha-w- c:\windows\System32\drivers\fidbox2.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* EMPTY entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968] "Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-01-30 3399727] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800] "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-05-05 1466368] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-09 7539232] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-10-24 178712] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032] "OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320] "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560] "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-03 13556256] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-03 92704] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-11 37232] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376] "avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576] "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-19 113664] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 08:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\acaptuser32.dll c:\progra~1\KASPER~1\KASPER~2\mzvkbd3.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "VistaSp2"=hex(b):84,96,33,27,0a,59,ca,01 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2299539283-4137082352-299996081-1003] "EnableNotificationsRef"=dword:00000002 R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 135664] R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-03-12 86016] S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880] S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-09-14 21520] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632] S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872] --- Other Services/Drivers In Memory --- *NewlyCreated* - SASDIFSV *NewlyCreated* - SASENUM *NewlyCreated* - SASKUTIL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs REG_MULTI_SZ BthServ LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache WindowsMobile REG_MULTI_SZ wcescomm rapimgr LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2007-08-23 10:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . Contents of the 'Scheduled Tasks' folder 2010-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 02:50] 2010-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 02:50] . . ------- Supplementary Scan ------- . uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop uDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm FF - ProfilePath - c:\users\Noah\AppData\Roaming\Mozilla\Firefox\Profiles\fse4u3p0.default\ FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll FF - component: c:\program files\Mozilla *Blocked Russian URL*\components\KavLinkFilter.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . - - - - ORPHANS REMOVED - - - - HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-25 08:24 Windows 6.0.6002 Service Pack 2 NTFS scanning hidden processes ... [0] 0x00690076 scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2299539283-4137082352-299996081-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:d3,d7,d0,6b,8f,10,99,81,a3,c1,dc,28,51,33,8b,9f,30,0c,dc,ec,67,e6,06, 3e,e4,68,13,d9,39,fc,72,13,74,f2,09,b1,bf,5f,23,0a,ec,98,3c,8d,70,cd,2b,ce,\ "??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2010-04-25 08:30:03 ComboFix-quarantined-files.txt 2010-04-25 01:29 Pre-Run: 44,393,619,456 bytes free Post-Run: 48,444,194,816 bytes free Current=1 Default=1 Failed=0 LastKnownGood=15 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,17 - - End Of File - - 9154B4621CA13F235466BA7EFDF10DBA Sorry for the delay. I didn't take this laptop home with me last night. After we're done clearing this one, I'll post logs for my desktop at home to make sure it's clean as well.GMER Note about this tool:
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan. Double-click gmer.exe. The program will begin to run. **Caution** These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised! If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
[recovering disk space - old attachment deleted by admin]Please download RootRepeal from GooglePages.com.
I've got it running now, but I'll be leaving the shop here in about 20 minutes to head back home and I'll continue it then if it doesn't finish before I leave.RootRepeal gave an error, then closed. The error window was empty. After clicking the X close button, a second smaller but equally empty window popped up, then RootRepeal closed. [recovering disk space - old attachment deleted by admin]Please download SystemLook from one of the links below and save it to your Desktop. Download Mirror #1 Download Mirror #2
scecli.dll netlogon.dll eventlog.dll winlogon.exe comres.dll crypt32.dll gpedit.dll rundll32.exe sfc.dll svchost.exe cngaudit.dll beep.sys wscntfy.exe atapi.sys bthport.sys
Log created at 09:29 on 26/04/2010 by Noah (Administrator - Elevation successful) ========== filefind ========== Searching for "scecli.dll" C:\WINDOWS\ERDNT\cache\scecli.dll --a--- 177152 bytes [01:27 25/04/2010] [06:28 11/04/2009] 8FC182167381E9915651267044105EE1 C:\WINDOWS\System32\scecli.dll --a--- 177152 bytes [17:42 28/10/2009] [06:28 11/04/2009] 8FC182167381E9915651267044105EE1 C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll --a--- 177152 bytes [02:24 21/01/2008] [02:24 21/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9 C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll --a--- 177152 bytes [17:42 28/10/2009] [06:28 11/04/2009] 8FC182167381E9915651267044105EE1 Searching for "netlogon.dll" C:\WINDOWS\ERDNT\cache\netlogon.dll --a--- 592896 bytes [01:27 25/04/2010] [06:28 11/04/2009] 95DAECF0FB120A7B5DA679CC54E37DDE C:\WINDOWS\System32\netlogon.dll --a--- 592896 bytes [17:42 28/10/2009] [06:28 11/04/2009] 95DAECF0FB120A7B5DA679CC54E37DDE C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll --a--- 592384 bytes [02:24 21/01/2008] [02:24 21/01/2008] A8EFC0B6E75B789F7FD3BA5025D4E37F C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll --a--- 592896 bytes [17:42 28/10/2009] [06:28 11/04/2009] 95DAECF0FB120A7B5DA679CC54E37DDE Searching for "eventlog.dll" C:\Program Files\CyberLink\PowerDirector\EventLog.dll --a--- 7216 bytes [06:30 13/01/2007] [06:30 13/01/2007] C2A279A458A06DE2C83D842AA042B5A8 Searching for "winlogon.exe" C:\WINDOWS\ERDNT\cache\winlogon.exe --a--- 314368 bytes [01:27 25/04/2010] [06:28 11/04/2009] 898E7C06A350D4A1A64A9EA264D55452 C:\WINDOWS\System32\winlogon.exe --a--- 314368 bytes [17:42 28/10/2009] [06:28 11/04/2009] 898E7C06A350D4A1A64A9EA264D55452 C:\WINDOWS\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe --a--- 314880 bytes [02:24 21/01/2008] [02:24 21/01/2008] C2610B6BDBEFC053BBDAB4F1B965CB24 C:\WINDOWS\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe --a--- 314368 bytes [17:42 28/10/2009] [06:28 11/04/2009] 898E7C06A350D4A1A64A9EA264D55452 Searching for "comres.dll" C:\WINDOWS\System32\comres.dll --a--- 1291264 bytes [02:24 21/01/2008] [02:24 21/01/2008] 4211249955AF9133E2E357CC92B54DFD C:\WINDOWS\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6001.18000_none_2cb0dad7e631d923\comres.dll --a--- 1291264 bytes [02:24 21/01/2008] [02:24 21/01/2008] 4211249955AF9133E2E357CC92B54DFD Searching for "crypt32.dll" C:\WINDOWS\System32\crypt32.dll --a--- 978944 bytes [17:43 28/10/2009] [06:28 11/04/2009] 6659EC6006FD99A3AF1B8A6306F8BE3C C:\WINDOWS\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.18000_none_5b6fc1dbddd3c6da\crypt32.dll --a--- 977408 bytes [02:24 21/01/2008] [02:24 21/01/2008] D4D86075510C02F887528207D8E0D713 C:\WINDOWS\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6002.18005_none_5d5b3ae7daf59226\crypt32.dll --a--- 978944 bytes [17:43 28/10/2009] [06:28 11/04/2009] 6659EC6006FD99A3AF1B8A6306F8BE3C Searching for "gpedit.dll" C:\WINDOWS\System32\gpedit.dll --a--- 950784 bytes [17:43 28/10/2009] [06:28 11/04/2009] 4E51A7052D162B2BA85612B486A68A45 C:\WINDOWS\winsxs\x86_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.0.6001.18000_none_ce322c9564e76885\gpedit.dll --a--- 936960 bytes [02:24 21/01/2008] [02:24 21/01/2008] E3DDEB38C6303086F79C6B7E83C372C8 C:\WINDOWS\winsxs\x86_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.0.6002.18005_none_d01da5a1620933d1\gpedit.dll --a--- 950784 bytes [17:43 28/10/2009] [06:28 11/04/2009] 4E51A7052D162B2BA85612B486A68A45 Searching for "rundll32.exe" C:\WINDOWS\System32\rundll32.exe --a--- 44544 bytes [08:48 02/11/2006] [09:45 02/11/2006] 4B555106290BD117334E9A08761C035A C:\WINDOWS\winsxs\x86_microsoft-windows-rundll32_31bf3856ad364e35_6.0.6000.16386_none_d5ce8f93adff8210\rundll32.exe --a--- 44544 bytes [08:48 02/11/2006] [09:45 02/11/2006] 4B555106290BD117334E9A08761C035A Searching for "sfc.dll" C:\WINDOWS\ERDNT\cache\sfc.dll --a--- 4608 bytes [01:27 25/04/2010] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8 C:\WINDOWS\System32\sfc.dll --a--- 4608 bytes [08:33 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8 C:\WINDOWS\winsxs\x86_microsoft-windows-sfc_31bf3856ad364e35_6.0.6001.18000_none_a735c34c5c31a578\sfc.dll --a--- 4608 bytes [08:33 02/11/2006] [09:46 02/11/2006] F4E1AA5D59C849A4AB47E895DC76B9C8 Searching for "svchost.exe" C:\WINDOWS\ERDNT\cache\svchost.exe --a--- 21504 bytes [01:27 25/04/2010] [02:23 21/01/2008] 3794B461C45882E06856F282EEF025AF C:\WINDOWS\System32\svchost.exe --a--- 21504 bytes [02:23 21/01/2008] [02:23 21/01/2008] 3794B461C45882E06856F282EEF025AF C:\WINDOWS\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe --a--- 21504 bytes [02:23 21/01/2008] [02:23 21/01/2008] 3794B461C45882E06856F282EEF025AF Searching for "cngaudit.dll" C:\WINDOWS\ERDNT\cache\cngaudit.dll --a--- 11776 bytes [01:27 25/04/2010] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D C:\WINDOWS\System32\cngaudit.dll --a--- 11776 bytes [08:43 02/11/2006] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll --a--- 11776 bytes [08:43 02/11/2006] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D Searching for "beep.sys" C:\WINDOWS\ERDNT\cache\beep.sys --a--- 6144 bytes [01:27 25/04/2010] [02:23 21/01/2008] 67E506B75BD5326A3EC7B70BD014DFB6 C:\WINDOWS\System32\drivers\beep.sys --a--- 6144 bytes [02:23 21/01/2008] [02:23 21/01/2008] 67E506B75BD5326A3EC7B70BD014DFB6 C:\WINDOWS\winsxs\x86_microsoft-windows-beepsys_31bf3856ad364e35_6.0.6001.18000_none_c420a153079d485b\beep.sys --a--- 6144 bytes [02:23 21/01/2008] [02:23 21/01/2008] 67E506B75BD5326A3EC7B70BD014DFB6 Searching for "wscntfy.exe" No files found. Searching for "atapi.sys" C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 19944 bytes [01:27 25/04/2010] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4 C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys --a--- 19944 bytes [17:42 28/10/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4 C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9 C:\WINDOWS\System32\drivers\atapi.sys --a--- 19944 bytes [17:42 28/10/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4 C:\WINDOWS\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9 C:\WINDOWS\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a--- 19944 bytes [17:42 28/10/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4 Searching for "bthport.sys" C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_00899617\bthport.sys --a--- 507904 bytes [17:43 28/10/2009] [04:43 11/04/2009] 5A3ABAA2F8EECE7AEFB942773766E3DB C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_03301a54\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:42 29/04/2008] 73D53F8E90550BA81E2CF44A0873B410 C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_c206c850\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:42 29/04/2008] B4CE8000AAB30A9AB16CD0FB3DB4D7CF C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_cf39a24e\bthport.sys --a--- 220160 bytes [10:25 02/11/2006] [08:55 02/11/2006] 4A74BBB2B6761789F42A6613479BDB1D C:\WINDOWS\System32\DriverStore\FileRepository\bth.inf_f5996c35\bthport.sys --a--- 219648 bytes [02:23 21/01/2008] [02:23 21/01/2008] 671134053D59E23704F08DB19F11E10B C:\WINDOWS\System32\drivers\bthport.sys --a--- 507904 bytes [17:43 28/10/2009] [04:43 11/04/2009] 5A3ABAA2F8EECE7AEFB942773766E3DB C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6000.16682_none_700a06c9bea9b8da\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:42 29/04/2008] B4CE8000AAB30A9AB16CD0FB3DB4D7CF C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6000.20824_none_70d68596d794e0d3\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:35 29/04/2008] 57DFAC97330E986F845B16B29314D21F C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6001.18000_none_7244c43bbb913795\bthport.sys --a--- 219648 bytes [02:23 21/01/2008] [02:23 21/01/2008] 671134053D59E23704F08DB19F11E10B C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6001.18064_none_7207e5dbbbbe4497\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:42 29/04/2008] 73D53F8E90550BA81E2CF44A0873B410 C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6001.22168_none_729583ced4d849bd\bthport.sys --a--- 220160 bytes [02:33 16/10/2009] [01:43 29/04/2008] 9F299C5274672900591E7C616D725F56 C:\WINDOWS\winsxs\x86_bth.inf_31bf3856ad364e35_6.0.6002.18005_none_74303d47b8b302e1\bthport.sys --a--- 507904 bytes [17:43 28/10/2009] [04:43 11/04/2009] 5A3ABAA2F8EECE7AEFB942773766E3DB -=End Of File=-Please run a free online scan with the ESET Online Scanner
Code: [Select][emailprotected] as downloader log: Can not read file from [emailprotected] as downloader log: Can not read file from internet.Can not extract cabC:\Program Files\ESET\ESET Online Scanner\OnlineScanner.cabErr:The operation completed successfully. [emailprotected] as downloader log: Can not read file from [emailprotected] as downloader log: Can not read file from internet.Can not read file from [emailprotected] as downloader log: Can not read file from internet.Can not extract cabC:\Program Files\ESET\ESET Online Scanner\OnlineScanner.cabErr:Cannot create a file when that file already exists. ESETSmartInsta[emailprotected] as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=04ab12bcc15cd643b9d6b91d41a57cdf # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-04-27 04:31:58 # local_time=2010-04-27 11:31:58 (+0700, SE Asia Standard Time) # country="United States" # lang=1033 # osver=6.0.6002 NT Service Pack 2 # compatibility_mode=1280 16777215 100 0 13405978 13405978 0 0 # compatibility_mode=5892 16776573 100 100 0 109860867 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=193020 # found=0 # cleaned=0 # scan_time=10979 |
|
