View Full Version : Hijack This Log
Aallmark
08-04-2009, 02:26 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:02 AM, on 8/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {68825740-ae21-4b09-8b7d-8a52fe540107} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\ swg.dll
O2 - BHO: (no name) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - (no file)
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [url]https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab[/url]
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - [url]http://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab[/url]
O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - [url]http://download.solitaire.com/download/solitaire.cab[/url]
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - [url]http://www.sibelius.com/download/software/win/ActiveXPlugin.cab[/url]
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - [url]http://www.crucial.com/controls/cpcScanner.cab[/url]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: m0_glkP_150908 - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Livescribe Pulse Smartpen Service (PenCommService) - Livescribe - C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 9341 bytes
crunchie
08-04-2009, 06:24 AM
Hi. The correct way to post is to give an explanation of the problems your pc is having and detail what you have done to try and rectify the problem.
Hijackthis also needs to be done in normal mode.
====
Can you please do the following.
===============
Go to Add/Remove programs and uninstall the following, if present:
Viewpoint Manager,Viewpoint Media Player,Viewpoint Toolbar
The above could appear anywhere within the entry. Be careful not to remove any personal or system software.
===============
Scan with HijackThis and then place a check next to all the following, if present:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)
O2 - BHO: (no name) - {68825740-ae21-4b09-8b7d-8a52fe540107} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - (no file)
O20 - Winlogon Notify: m0_glkP_150908 - C:\WINDOWS\
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders: (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
folders...
C:\Program Files\Viewpoint
-
Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear. Select the first option to run Windows in Safe Mode hit enter.
-
Reboot.
===============
Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Download the update from here (http://www.gt500.org/malwarebytes/database.jsp) if you have problems.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Make sure that you restart the computer.
Post new HJT log.
Aallmark
08-04-2009, 12:48 PM
Sorry for not explaining my problems. Firefox has been freezing and crashing for weeks, ever since I was watching a T.V. show online (which is obviously the source of the problem). ITunes won't work. I get this error message: An unexpected error has occurred that this application cannot recover from. It will now close
Exception Code: 3221225477
Youtube usually won't work, although yesterday I searched the previous error message and came across a similar forum to this one and downloaded and ran a program called "Dial-a-fix" which seemed to have corrected some things on my computer, including my time being in military form and the low disk space message that always appears (and never goes fully away, no matter what I delete) as well as being able to watch videos. I watched maybe 2 1/2 videos before it started skipping and I had to reboot the computer. I ran Dial-a-fix again and it seemed to have worked, although most likely not for good. I've also ran CCleaner a number of times and ran Malwarebytes' Anti-Malware. I've done disk cleanups but those are never permanent. I've done the spyware guide from another forum.
Perhaps the most concerning problem, which I forgot to mention, is that two out of three user accounts on my computer won't start and instead go to the default, temporary setting.
crunchie
08-04-2009, 05:31 PM
Ok, if you can carry out my previous steps please and post the logs I will take another look.
Also, download DDS from the following location:
DDS Tool (http://download.bleepingcomputer.com/sUBs/dds.scr)
Save dds.scr to the desktop
Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.
Once you double-click the icon a Windows security warning may also appear asking if you are sure you would like to run the program. Click on the Run button to start DDS. If no warning appeared, then you should just continue.
DDS will now display a small black window providing information as to what DDS is doing on your computer.
DDS will now start scanning your computer and compiling a variety of information about what programs are starting on your computer, what files have been recently created, and the general configuration of your computer. When DDS has finished scanning, all of this information will be compiled and be displayed in two Notepad windows named dds.txt and attach.txt.
You will then be shown a small box giving instructions as to what you should do with these files. Feel free to close this message box by pressing the OK button.
We now need to save the two log files that were created. First click on the DDS.txt window and click on the File menu and then select Save As... menu option.
Save DDS.txt to the desktop. Now click on the Attach.txt Notepad window and save that to the desktop also.
Copy the contents of the DDS.txt log and paste it into your reply here.
Attach the attach.txt log with your reply using Reply to Thread button, then the Manage Attachments button.
Aallmark
08-06-2009, 12:11 AM
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3 (Safe Mode)
8/5/2009 11:04:13 PM
mbam-log-2009-08-05 (23-04-13).txt
Scan type: Quick Scan
Objects scanned: 219316
Time elapsed: 3 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Aallmark
08-06-2009, 12:19 AM
DDS (Ver_09-07-30.01) - NTFSx86
Run by Maryann at 18:47:49.03 on Wed 08/05/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1501 [GMT -4:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Trojan Remover\Trjscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Documents and Settings\Maryann\Desktop\dds.scr
============== Pseudo HJT Report ===============
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\maryann\applic~1\mozilla\firefox\profi les\rves9tnn.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
============= SERVICES / DRIVERS ===============
=============== Created Last 30 ================
2009-08-05 18:37 <DIR> --d----- c:\windows\system32\CatRoot2
2009-08-04 23:22 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-04 23:22 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-04 23:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-04 22:19 <DIR> --d----- c:\docume~1\maryann\APPL
============= FINISH: 18:49:10.20 ===============
Aallmark
08-06-2009, 12:24 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:32 PM, on 8/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Aallmark
08-06-2009, 12:24 AM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\ swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - ?p=ZS
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [url]https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab[/url]
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - [url]http://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab[/url]
O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - [url]http://download.solitaire.com/download/solitaire.cab[/url]
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - [url]http://www.sibelius.com/download/software/win/ActiveXPlugin.cab[/url]
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - [url]http://www.crucial.com/controls/cpcScanner.cab[/url]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Livescribe Pulse Smartpen Service (PenCommService) - Livescribe - C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 10538 bytes
crunchie
08-06-2009, 06:34 AM
That DDS report looks like there are some items missing. Did you edit it in any way. Could you run it once more please to see if it comes up with the same results.
==
Please Run the ESET Online Scanner (http://www.eset.com/onlinescan/) and post the ScanLog with your post for assistance.
You will need to use Internet Explorer to complete this scan.
You will need to temporarily Disable your current Anti-virus program.
Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
NOTE: If you are unable to complete the ESET scan, please try another from the list below:
• Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) • Panda Active Scan (http://www.pandasoftware.com/products/activescan.htm) • Trend Micro HouseCall (http://housecall.trendmicro.com/housecall/start_corp.asp) • F-Secure Online Virus Scanner (http://support.f-secure.com/enu/home/ols.shtml)
Aallmark
08-06-2009, 11:27 AM
DDS (Ver_09-07-30.01) - NTFSx86
Run by Maryann at 10:21:24.34 on Thu 08/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1464 [GMT -4:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Maryann\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/ig/dell?hl=en
uSearch Page = hxxp://www.google.com/hws/sb/dell/en/side.html
uSearch Bar = hxxp://www.google.com/hws/sb/dell/en/side.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\ swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No File
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNo tifier.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Search - ?p=ZS
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} - hxxp://download.solitaire.com/download/solitaire.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli
Aallmark
08-06-2009, 11:29 AM
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\maryann\applic~1\mozilla\firefox\profi les\rves9tnn.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-23 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-23 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-23 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-9-23 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-23 298776]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-6-7 151552]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\driv ers\naiavf5x.sys [2006-9-1 114464]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [2004-8-10 5120]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
=============== Created Last 30 ================
2009-08-05 21:00 <DIR> --d----- c:\windows\system32\CatRoot2
2009-08-04 23:22 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-04 23:22 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-04 23:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-04 22:19 <DIR> --d----- c:\docume~1\maryann\applic~1\Malwarebytes
2009-08-04 22:12 <DIR> --dsh--- c:\documents and settings\maryann\IECompatCache
2009-08-04 00:57 <DIR> -cd----- C:\HJT
2009-07-30 13:10 0 -c-sh--- C:\ntuser.ini
2009-07-25 01:25 <DIR> --dsh--- c:\documents and settings\maryann\IETldCache
2009-07-24 17:08 <DIR> --dsh--- C:\found.000
2009-07-23 03:52 <DIR> -cd----- C:\Verizon
2009-07-21 20:06 478,886 a------- c:\windows\system32\PerfStringBackup.TMP
2009-07-10 13:28 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-07-10 13:27 <DIR> --d----- c:\windows\ie8updates
2009-07-10 13:26 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-10 13:26 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-10 13:24 <DIR> -cd-h--- c:\windows\ie8
2009-07-08 13:32 <DIR> --d----- c:\program files\Trojan Remover
2009-07-08 13:29 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-07-08 13:29 153,088 a------- c:\windows\system32\unrar3.dll
2009-07-08 13:29 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-07-08 13:29 75,264 a------- c:\windows\system32\unacev2.dll
2009-07-08 13:29 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-07-08 13:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-07-08 13:26 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-07-08 13:21 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-07-08 13:11 161,792 a------- c:\windows\SWREG.exe
2009-07-08 13:11 155,136 a------- c:\windows\PEV.exe
2009-07-08 13:11 98,816 a------- c:\windows\sed.exe
2009-07-07 13:00 <DIR> --d----- c:\program files\CleanUp!
2009-07-07 12:49 <DIR> --d----- c:\program files\MSConfig CleanUp
==================== Find3M ====================
2009-08-04 17:37 78,659 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-29 23:41 8,354 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-07-18 21:00 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-24 21:55 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\dllcache\quartz.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2008-04-04 16:04 8 ---shr-- c:\windows\system32\548A51786D.sys
============= FINISH: 10:22:06.45 ===============
crunchie
08-06-2009, 05:48 PM
Please Run the ESET Online Scanner (http://www.eset.com/onlinescan/) and post the ScanLog with your post for assistance.
You will need to use Internet Explorer to complete this scan.
You will need to temporarily Disable your current Anti-virus program.
Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
NOTE: If you are unable to complete the ESET scan, please try another from the list below:
• Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) • Panda Active Scan (http://www.pandasoftware.com/products/activescan.htm) • Trend Micro HouseCall (http://housecall.trendmicro.com/housecall/start_corp.asp) • F-Secure Online Virus Scanner (http://support.f-secure.com/enu/home/ols.shtml)
The above too please.
==
Please go to Jotti's (http://virusscan.jotti.org/) or to virustotal (http://www.virustotal.com/en/virustotalf.html) and have these files scanned. Post the results back here.
c:\windows\sed.exe
c:\windows\PEV.exe
==
Please download FileLook by jpshortstuff from one of these mirrors:
Link 1 (http://jpshortstuff.247fixes.com/FileLook.exe)
Link 2 (http://images.malwareremoval.com/jpshortstuff/FileLook.exe)
Double-click FileLook.exe to run it.
Ensure that the BBCode Ouput checkbox is checked.
Copy the content of the following codebox into the main textfield:
c:\windows\sed.exe
c:\windows\PEV.exe
Click the FileLook button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at C:\FileLook.txt
Aallmark
08-06-2009, 08:35 PM
I'm having trouble with Internet Explorer. If it starts at all, it'll just say "connecting" until it stops responding. I've tried uninstalling and reinstalling it as well as resetting but this doesn't work at all. It stays on the first step for hours.
crunchie
08-06-2009, 10:35 PM
Try one of the other scanners. One or more of them should be able to utilise firefox.
You will still need to do the other steps.
Aallmark
08-08-2009, 02:27 PM
I can start Panda but it doesn't get past 40% until the computer freezes and I have to restart. Is there anything I can do?
crunchie
08-08-2009, 10:11 PM
How about you try the other steps I laid out?
Aallmark
08-09-2009, 01:30 PM
Ok, I'll do that.
Aallmark
08-09-2009, 01:50 PM
File sed.exe received on 2009.08.08 19:22:54 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.08 -
AhnLab-V3 5.0.0.2 2009.08.08 -
AntiVir 7.9.0.248 2009.08.07 -
Antiy-AVL 2.0.3.7 2009.08.07 -
Authentium 5.1.2.4 2009.08.08 -
Avast 4.8.1335.0 2009.08.07 -
AVG 8.5.0.406 2009.08.08 -
BitDefender 7.2 2009.08.08 -
CAT-QuickHeal 10.00 2009.08.08 -
ClamAV 0.94.1 2009.08.07 -
Comodo 1912 2009.08.08 -
DrWeb 5.0.0.12182 2009.08.08 -
eSafe 7.0.17.0 2009.08.06 -
eTrust-Vet 31.6.6667 2009.08.08 -
F-Prot 4.4.4.56 2009.08.08 -
F-Secure 8.0.14470.0 2009.08.08 -
Fortinet 3.120.0.0 2009.08.08 -
GData 19 2009.08.08 -
Ikarus T3.1.1.64.0 2009.08.08 -
Jiangmin 11.0.800 2009.08.08 -
K7AntiVirus 7.10.814 2009.08.08 -
Kaspersky 7.0.0.125 2009.08.08 -
McAfee 5703 2009.08.08 -
McAfee+Artemis 5703 2009.08.08 -
McAfee-GW-Edition 6.8.5 2009.08.07 -
Microsoft 1.4903 2009.08.08 -
NOD32 4317 2009.08.08 -
Norman 6.01.09 2009.08.07 -
nProtect 2009.1.8.0 2009.08.08 -
Panda 10.0.0.14 2009.08.08 -
PCTools 4.4.2.0 2009.08.08 -
Prevx 3.0 2009.08.08 -
Rising 21.41.52.00 2009.08.08 -
Sophos 4.44.0 2009.08.08 -
Sunbelt 3.2.1858.2 2009.08.08 -
Symantec 1.4.4.12 2009.08.08 -
TheHacker 6.3.4.3.378 2009.08.08 -
TrendMicro 8.950.0.1094 2009.08.08 -
VBA32 3.12.10.9 2009.08.07 -
ViRobot 2009.8.8.1875 2009.08.08 -
VirusBuster 4.6.5.0 2009.08.08 -
Additional information
File size: 98816 bytes
MD5 : 2b657a67aebb84aea5632c53e61e23bf
SHA1 : 7d723cf82658da76bda85ae00bf20cb01b43edc8
SHA256: 95a2e2cacfb63d095de385a98f1d5d4a21f0e7e8de485cbaf5 b872434d43fb73
PEInfo: PE Structure information<br> <br> ( base data )<br> entrypointaddress.: 0x1220<br> timedatestamp.....: 0x420C7C1C (Fri Feb 11 10:34:20 2005)<br> machinetype.......: 0x14C (Intel I386)<br> <br> ( 5 sections )<br> name viradd virsiz rawdsiz ntrpy md5<br> .text 0x1000 0x12314 0x12400 6.35 ff9ee697a26ae4c26c7fbc9115a3f9c3<br>.data 0x14000 0x690 0x800 3.06 8ae042bde9f22cd8399b3308f8e505f5<br>.rdata 0x15000 0x4994 0x4A00 5.14 b57e09b0f83dd8373df5c5d677214bdd<br>.bss 0x1A000 0x5280 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.idata 0x20000 0x71C 0x800 4.04 9fd53d4e99a76e42c236775b15e3731c<br> <br> ( 0 imports )<br> <br> <br> ( 0 exports )<br>
TrID : File type identification<br>Win32 Executable MS Visual C++ (generic) (62.9%)<br>Win32 Executable Generic (14.2%)<br>Win32 Dynamic Link Library (generic) (12.6%)<br>Win16/32 Executable Delphi generic (3.4%)<br>Generic Win/DOS Executable (3.3%)
ThreatExpert: <a href="http://www.threatexpert.com/report.aspx?md5=2b657a67aebb84aea5632c53e61e23bf" target="_blank">http://www.threatexpert.com/report.aspx?md5=2b657a67aebb84aea5632c53e61e23bf</a>
ssdeep: 1536:nPk5mqwSSaXyzwhLFR+ISDuAznwMLof2POGagGin6m:Pk rwSnCGqNKGak6m
PEiD : Dev-C++ 4.9.9.2 -> Bloodshed Software
CWSandbox: <a href="http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=2b657a67aebb84aea5632c53e61e23bf" target="_blank">http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=2b657a67aebb84aea5632c53e61e23bf</a>
RDS : NSRL Reference Data Set<br>-
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.08 -
AhnLab-V3 5.0.0.2 2009.08.08 -
AntiVir 7.9.0.248 2009.08.07 -
Antiy-AVL 2.0.3.7 2009.08.07 -
Authentium 5.1.2.4 2009.08.08 -
Avast 4.8.1335.0 2009.08.07 -
AVG 8.5.0.406 2009.08.08 -
BitDefender 7.2 2009.08.08 -
CAT-QuickHeal 10.00 2009.08.08 -
ClamAV 0.94.1 2009.08.07 -
Comodo 1912 2009.08.08 -
DrWeb 5.0.0.12182 2009.08.08 -
eSafe 7.0.17.0 2009.08.06 -
eTrust-Vet 31.6.6667 2009.08.08 -
F-Prot 4.4.4.56 2009.08.08 -
F-Secure 8.0.14470.0 2009.08.08 -
Fortinet 3.120.0.0 2009.08.08 -
GData 19 2009.08.08 -
Ikarus T3.1.1.64.0 2009.08.08 -
Jiangmin 11.0.800 2009.08.08 -
K7AntiVirus 7.10.814 2009.08.08 -
Kaspersky 7.0.0.125 2009.08.08 -
McAfee 5703 2009.08.08 -
McAfee+Artemis 5703 2009.08.08 -
McAfee-GW-Edition 6.8.5 2009.08.07 -
Microsoft 1.4903 2009.08.08 -
NOD32 4317 2009.08.08 -
Norman 6.01.09 2009.08.07 -
nProtect 2009.1.8.0 2009.08.08 -
Panda 10.0.0.14 2009.08.08 -
PCTools 4.4.2.0 2009.08.08 -
Prevx 3.0 2009.08.08 -
Rising 21.41.52.00 2009.08.08 -
Sophos 4.44.0 2009.08.08 -
Sunbelt 3.2.1858.2 2009.08.08 -
Symantec 1.4.4.12 2009.08.08 -
TheHacker 6.3.4.3.378 2009.08.08 -
TrendMicro 8.950.0.1094 2009.08.08 -
VBA32 3.12.10.9 2009.08.07 -
ViRobot 2009.8.8.1875 2009.08.08 -
VirusBuster 4.6.5.0 2009.08.08 -
Additional information
File size: 98816 bytes
MD5 : 2b657a67aebb84aea5632c53e61e23bf
SHA1 : 7d723cf82658da76bda85ae00bf20cb01b43edc8
SHA256: 95a2e2cacfb63d095de385a98f1d5d4a21f0e7e8de485cbaf5 b872434d43fb73
PEInfo: PE Structure information<br> <br> ( base data )<br> entrypointaddress.: 0x1220<br> timedatestamp.....: 0x420C7C1C (Fri Feb 11 10:34:20 2005)<br> machinetype.......: 0x14C (Intel I386)<br> <br> ( 5 sections )<br> name viradd virsiz rawdsiz ntrpy md5<br> .text 0x1000 0x12314 0x12400 6.35 ff9ee697a26ae4c26c7fbc9115a3f9c3<br>.data 0x14000 0x690 0x800 3.06 8ae042bde9f22cd8399b3308f8e505f5<br>.rdata 0x15000 0x4994 0x4A00 5.14 b57e09b0f83dd8373df5c5d677214bdd<br>.bss 0x1A000 0x5280 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.idata 0x20000 0x71C 0x800 4.04 9fd53d4e99a76e42c236775b15e3731c<br> <br> ( 0 imports )<br> <br> <br> ( 0 exports )<br>
TrID : File type identification<br>Win32 Executable MS Visual C++ (generic) (62.9%)<br>Win32 Executable Generic (14.2%)<br>Win32 Dynamic Link Library (generic) (12.6%)<br>Win16/32 Executable Delphi generic (3.4%)<br>Generic Win/DOS Executable (3.3%)
ThreatExpert: <a href="http://www.threatexpert.com/report.aspx?md5=2b657a67aebb84aea5632c53e61e23bf" target="_blank">http://www.threatexpert.com/report.aspx?md5=2b657a67aebb84aea5632c53e61e23bf</a>
ssdeep: 1536:nPk5mqwSSaXyzwhLFR+ISDuAznwMLof2POGagGin6m:Pk rwSnCGqNKGak6m
PEiD : Dev-C++ 4.9.9.2 -> Bloodshed Software
CWSandbox: <a href="http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=2b657a67aebb84aea5632c53e61e23bf" target="_blank">http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=2b657a67aebb84aea5632c53e61e23bf</a>
RDS : NSRL Reference Data Set<br>-
Aallmark
08-09-2009, 01:51 PM
File PEV.exe received on 2009.08.08 17:31:46 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.08 -
AhnLab-V3 5.0.0.2 2009.08.08 -
AntiVir 7.9.0.248 2009.08.07 -
Antiy-AVL 2.0.3.7 2009.08.07 -
Authentium 5.1.2.4 2009.08.08 -
Avast 4.8.1335.0 2009.08.07 -
AVG 8.5.0.406 2009.08.08 -
BitDefender 7.2 2009.08.08 -
CAT-QuickHeal 10.00 2009.08.08 (Suspicious) - DNAScan
ClamAV 0.94.1 2009.08.07 -
Comodo 1911 2009.08.08 -
DrWeb 5.0.0.12182 2009.08.08 -
eSafe 7.0.17.0 2009.08.06 Suspicious File
eTrust-Vet 31.6.6667 2009.08.08 -
F-Prot 4.4.4.56 2009.08.08 -
F-Secure 8.0.14470.0 2009.08.08 -
Fortinet 3.120.0.0 2009.08.08 -
GData 19 2009.08.08 -
Ikarus T3.1.1.64.0 2009.08.08 -
Jiangmin 11.0.800 2009.08.08 -
K7AntiVirus 7.10.814 2009.08.08 -
Kaspersky 7.0.0.125 2009.08.08 -
McAfee 5702 2009.08.08 -
McAfee+Artemis 5702 2009.08.08 -
McAfee-GW-Edition 6.8.5 2009.08.07 Heuristic.BehavesLike.Win32.Packed.C
Microsoft 1.4903 2009.08.08 -
NOD32 4317 2009.08.08 -
Norman 6.01.09 2009.08.07 -
nProtect 2009.1.8.0 2009.08.08 -
Panda 10.0.0.14 2009.08.08 -
PCTools 4.4.2.0 2009.08.08 -
Prevx 3.0 2009.08.08 -
Rising 21.41.52.00 2009.08.08 -
Sophos 4.44.0 2009.08.08 -
Sunbelt 3.2.1858.2 2009.08.08 -
Symantec 1.4.4.12 2009.08.08 -
TheHacker 6.3.4.3.378 2009.08.08 -
TrendMicro 8.950.0.1094 2009.08.08 -
VBA32 3.12.10.9 2009.08.07 -
ViRobot 2009.8.8.1875 2009.08.08 -
VirusBuster 4.6.5.0 2009.08.08 -
Additional information
File size: 155136 bytes
MD5 : 915a05f3839497fa5ed64036b376f5bf
SHA1 : 82c7b739aa6a25522280fa33e7cec351524fc95b
SHA256: b56a43b98983ecd011a9611150af2cc9b2bf1f7e055531e1ff a32c1999e39492
PEInfo: PE Structure information<br> <br> ( base data )<br> entrypointaddress.: 0x1000<br> timedatestamp.....: 0x4A2C45B6 (Mon Jun 8 00:56:54 2009)<br> machinetype.......: 0x14C (Intel I386)<br> <br> ( 3 sections )<br> name viradd virsiz rawdsiz ntrpy md5<br> .text 0x1000 0x6C000 0x24800 8.00 3bf5f284e20099f47ffcaeca82d070a3<br>.rsrc 0x6D000 0x1000 0x1000 7.57 7638b3b85f7429cdda8c642941448a53<br>.reloc 0x6E000 0x200 0x200 0.22 f21d6126b0601aea8238b6e37f555939<br> <br> ( 1 imports )<br> <br>> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree<br> <br> ( 0 exports )<br>
TrID : File type identification<br>Win32 EXE PECompact compressed (v2.x) (48.9%)<br>Win32 EXE PECompact compressed (generic) (34.4%)<br>Win32 Executable Generic (7.0%)<br>Win32 Dynamic Link Library (generic) (6.2%)<br>Generic Win/DOS Executable (1.6%)
ThreatExpert: <a href="http://www.threatexpert.com/report.aspx?md5=915a05f3839497fa5ed64036b376f5bf" target="_blank">http://www.threatexpert.com/report.aspx?md5=915a05f3839497fa5ed64036b376f5bf</a>
ssdeep: -
PEiD : PECompact 2.xx --> BitSum Technologies
packers (Kaspersky): PE_Patch.PECompact, PecBundle, PECompact
packers (F-Prot): PecBundle, PECompact
RDS : NSRL Reference Data Set<br>-
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.08 -
AhnLab-V3 5.0.0.2 2009.08.08 -
AntiVir 7.9.0.248 2009.08.07 -
Antiy-AVL 2.0.3.7 2009.08.07 -
Authentium 5.1.2.4 2009.08.08 -
Avast 4.8.1335.0 2009.08.07 -
AVG 8.5.0.406 2009.08.08 -
BitDefender 7.2 2009.08.08 -
CAT-QuickHeal 10.00 2009.08.08 (Suspicious) - DNAScan
ClamAV 0.94.1 2009.08.07 -
Comodo 1911 2009.08.08 -
DrWeb 5.0.0.12182 2009.08.08 -
eSafe 7.0.17.0 2009.08.06 Suspicious File
eTrust-Vet 31.6.6667 2009.08.08 -
F-Prot 4.4.4.56 2009.08.08 -
F-Secure 8.0.14470.0 2009.08.08 -
Fortinet 3.120.0.0 2009.08.08 -
GData 19 2009.08.08 -
Ikarus T3.1.1.64.0 2009.08.08 -
Jiangmin 11.0.800 2009.08.08 -
K7AntiVirus 7.10.814 2009.08.08 -
Kaspersky 7.0.0.125 2009.08.08 -
McAfee 5702 2009.08.08 -
McAfee+Artemis 5702 2009.08.08 -
McAfee-GW-Edition 6.8.5 2009.08.07 Heuristic.BehavesLike.Win32.Packed.C
Microsoft 1.4903 2009.08.08 -
NOD32 4317 2009.08.08 -
Norman 6.01.09 2009.08.07 -
nProtect 2009.1.8.0 2009.08.08 -
Panda 10.0.0.14 2009.08.08 -
PCTools 4.4.2.0 2009.08.08 -
Prevx 3.0 2009.08.08 -
Rising 21.41.52.00 2009.08.08 -
Sophos 4.44.0 2009.08.08 -
Sunbelt 3.2.1858.2 2009.08.08 -
Symantec 1.4.4.12 2009.08.08 -
TheHacker 6.3.4.3.378 2009.08.08 -
TrendMicro 8.950.0.1094 2009.08.08 -
VBA32 3.12.10.9 2009.08.07 -
ViRobot 2009.8.8.1875 2009.08.08 -
VirusBuster 4.6.5.0 2009.08.08 -
Additional information
File size: 155136 bytes
MD5 : 915a05f3839497fa5ed64036b376f5bf
SHA1 : 82c7b739aa6a25522280fa33e7cec351524fc95b
SHA256: b56a43b98983ecd011a9611150af2cc9b2bf1f7e055531e1ff a32c1999e39492
PEInfo: PE Structure information<br> <br> ( base data )<br> entrypointaddress.: 0x1000<br> timedatestamp.....: 0x4A2C45B6 (Mon Jun 8 00:56:54 2009)<br> machinetype.......: 0x14C (Intel I386)<br> <br> ( 3 sections )<br> name viradd virsiz rawdsiz ntrpy md5<br> .text 0x1000 0x6C000 0x24800 8.00 3bf5f284e20099f47ffcaeca82d070a3<br>.rsrc 0x6D000 0x1000 0x1000 7.57 7638b3b85f7429cdda8c642941448a53<br>.reloc 0x6E000 0x200 0x200 0.22 f21d6126b0601aea8238b6e37f555939<br> <br> ( 1 imports )<br> <br>> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree<br> <br> ( 0 exports )<br>
TrID : File type identification<br>Win32 EXE PECompact compressed (v2.x) (48.9%)<br>Win32 EXE PECompact compressed (generic) (34.4%)<br>Win32 Executable Generic (7.0%)<br>Win32 Dynamic Link Library (generic) (6.2%)<br>Generic Win/DOS Executable (1.6%)
ThreatExpert: <a href="http://www.threatexpert.com/report.aspx?md5=915a05f3839497fa5ed64036b376f5bf" target="_blank">http://www.threatexpert.com/report.aspx?md5=915a05f3839497fa5ed64036b376f5bf</a>
ssdeep: -
PEiD : PECompact 2.xx --> BitSum Technologies
packers (Kaspersky): PE_Patch.PECompact, PecBundle, PECompact
packers (F-Prot): PecBundle, PECompact
RDS : NSRL Reference Data Set<br>-
Aallmark
08-09-2009, 02:00 PM
When I open FileLook it says, "This system has been deprecated in favor of SystemLook. If you were advised to run this by a Forum Helper please inform them, otherwise have a nice day :)
Press any key to continue..."
Aallmark
08-13-2009, 10:38 PM
Can anyone help?
crunchie
08-16-2009, 01:06 AM
Sorry for the delay. I am not getting my email notification.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:file
c:\windows\sed.exe
c:\windows\PEV.exe
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Aallmark
08-17-2009, 05:04 PM
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 16:03 on 17/08/2009 by John A (Administrator - Elevation successful)
========== file ==========
c:\windows\sed.exe - File found and opened.
MD5: 2B657A67AEBB84AEA5632C53E61E23BF
Created at 17:11 on 08/07/2009
Modified at 12:00 on 31/08/2000
Size: 98816 bytes
Attributes: --a---
No version information available.
c:\windows\PEV.exe - File found and opened.
MD5: 915A05F3839497FA5ED64036B376F5BF
Created at 17:11 on 08/07/2009
Modified at 12:10 on 08/06/2009
Size: 155136 bytes
Attributes: --a---
No version information available.
-=End Of File=-
Aallmark
08-17-2009, 05:05 PM
Should I now do FileLook? And also, I'm going to attempt to run Windows in Safe Mode and run the Panda Scan.
crunchie
08-17-2009, 05:36 PM
Given that info and what can be found on the net, I would say that it is time to remove those files.
Download Avenger (http://swandog46.geekstogo.com/avenger2/download.php) by Swandog and unzip it to your Desktop.
Note: This program must be run from an account with Administrator privileges.
Open the Avenger folder and double click Avenger.exe to launch the programme.
Copy the text in the code box below and Paste it into the Input script here: box.
Files to delete:
c:\windows\sed.exe
c:\windows\PEV.exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Ensure the following:
Scan for Rootkits is checked.
Automatically disable any rootkits found is Unchecked.
Press the Execute key.
Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
Post the log back here please. (it can also be found at C:\avenger.txt)
Post a new hijackthis log too please.
Aallmark
08-17-2009, 08:08 PM
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "c:\windows\sed.exe" deleted successfully.
File "c:\windows\PEV.exe" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Aallmark
08-17-2009, 08:10 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:45 PM, on 8/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Aallmark
08-17-2009, 08:11 PM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\ swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [url]https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab[/url]
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - [url]http://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab[/url]
O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - [url]http://download.solitaire.com/download/solitaire.cab[/url]
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - [url]http://www.sibelius.com/download/software/win/ActiveXPlugin.cab[/url]
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - [url]http://www.crucial.com/controls/cpcScanner.cab[/url]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Livescribe Pulse Smartpen Service (PenCommService) - Livescribe - C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 10301 bytes
crunchie
08-17-2009, 09:26 PM
That log looks clear. How is the pc at the moment? Are you able to run youtube? Are you still getting the error message?
Aallmark
08-17-2009, 10:21 PM
Here is the much belated logfile of the Panda Active Scan.
ANALYSIS: 2009-08-17 21:14:36
PROTECTIONS: 1
MALWARE: 5
SUSPECTS: 2
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
AVG Anti-Virus Free 8.5 No No
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
00484705 Application/IEDefender HackTools No 0 Yes No C:\Program Files\Mozilla Firefox\SmitfraudFix\IEDFix.C.exe
00921467 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\Mozilla Firefox\SmitfraudFix\404Fix.exe
02106838 Trj/Banbra.GIY Virus/Trojan No 1 Yes No C:\Documents and Settings\John A\My Documents\Downloads\avenger\avenger.exe
02106838 Trj/Banbra.GIY Virus/Trojan No 1 Yes No C:\Documents and Settings\John A\My Documents\Downloads\avenger.zip[avenger.exe]
02106838 Trj/Banbra.GIY Virus/Trojan No 1 Yes No C:\Documents and Settings\John A\My Documents\avenger\avenger.exe
02106838 Trj/Banbra.GIY Virus/Trojan No 1 Yes No C:\Documents and Settings\John A\Local Settings\Temp\Kg6hrMTU.zip.part[avenger.exe]
02106838 Trj/Banbra.GIY Virus/Trojan No 1 Yes No C:\Documents and Settings\John A\Local Settings\Application Data\Mozilla\Firefox\Profiles\sscrhvtx.default\Cac he\36073D5Fd01[avenger.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\senekadf.d ll.vir
04889026 Bck/Agent.DPD Virus/Trojan No 1 Yes No C:\Program Files\mackoy\BVE4\Train\LT1995\OS_Ats1.dll
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location @
;================================================= ================================================== ================================================== ==============================
No C:\Documents and Settings\Alex\My Documents\Downloads\SmitfraudFix.exe @
No C:\Documents and Settings\John\Application Data\Move Networks\MoveMediaPlayer_07076007.exe @
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description @
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================
Aallmark
08-17-2009, 10:21 PM
Tell me if you need me to edit that to make it easier to read. As for youtube and the error message, I'll get out of safe mode right now to check.
Aallmark
08-17-2009, 10:30 PM
I logged on to my dad's new profile (which I made yesterday because all of the other profiles finally went temporary) and I got the error message as well as a crash when I first started Firefox. I got about halfway through a video before it stopped loading.
crunchie
08-17-2009, 11:27 PM
C:\Documents and Settings\John\Application Data\Move Networks\MoveMediaPlayer_07076007.exe
C:\Program Files\mackoy\BVE4\Train\LT1995\OS_Ats1.dll
Am not sure of the above two, so you may want to give them an online scan.
==
When did you run Combofix? Can you post it's log please.
Aallmark
08-18-2009, 12:16 AM
When did I say I ran Combofix?
Aallmark
08-18-2009, 12:19 AM
Should I scan it with System Look?
Aallmark
08-18-2009, 12:42 AM
I scanned the files with System Look as well as Jotti's malware scan and Virustotal. Here are the results.
Aallmark
08-18-2009, 12:45 AM
System Look
ystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 23:18 on 17/08/2009 by Alex A (Administrator - Elevation successful)
========== file ==========
C:\Documents and Settings\John\Application Data\Move Networks\MoveMediaPlayer_07076007.exe - File found and opened.
MD5: 8DB6C5896EAEB91AD687B6F5078D1656
Created at 19:51 on 20/03/2008
Modified at 19:51 on 20/03/2008
Size: 779536 bytes
Attributes: ------
No version information available.
C:\Program Files\mackoy\BVE4\Train\LT1995\OS_Ats1.dll - File found and opened.
MD5: 8FBED07473004FDFCC7BFF190085CFDF
Created at 12:32 on 17/01/2008
Modified at 18:07 on 21/03/2005
Size: 131070 bytes
Attributes: ------
-=End Of File=-
Aallmark
08-18-2009, 12:46 AM
[ArcaVir]
2009-08-17 Found nothing
[G DATA]
2009-08-18 Backdoor.Generic.95440
[A-Squared]
2009-08-18 Found nothing
[Ikarus]
2009-08-18 Backdoor.Generic
[Avast! antivirus]
2009-08-17 Found nothing
[Kaspersky Anti-Virus]
2009-08-18 Found nothing
[Grisoft AVG Anti-Virus]
2009-08-17 Found nothing
[ESET NOD32]
2009-08-17 Found nothing
[Avira AntiVir]
2009-08-17 Found nothing
[Norman Virus Control]
2009-08-17 Found nothing
[Softwin BitDefender]
2009-08-17 Backdoor.Generic.95440
[Panda Antivirus]
2009-08-17 Found nothing
[ClamAV]
2009-08-18 Found nothing
[Quick Heal]
2009-08-17 Found nothing
[CPsecure]
2009-08-17 Found nothing
[Sophos]
2009-08-18 Found nothing
[Dr.Web]
2009-08-18 Found nothing
[VirusBlokAda VBA32]
2009-08-17 Found nothing
[Frisk F-Prot Antivirus]
2009-08-17 Found nothing
[VirusBuster]
2009-08-17 Found nothing
[F-Secure Anti-Virus]
2009-08-17 Found nothing
Aallmark
08-18-2009, 12:48 AM
VirusTotal
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.22 -
AhnLab-V3 5.0.0.2 2009.03.22 -
AntiVir 7.9.0.120 2009.03.21 -
Authentium 5.1.2.4 2009.03.21 -
Avast 4.8.1335.0 2009.03.21 -
AVG 8.5.0.283 2009.03.21 -
BitDefender 7.2 2009.03.22 Backdoor.Generic.95440
CAT-QuickHeal 10.00 2009.03.21 -
ClamAV 0.94.1 2009.03.22 -
Comodo 1080 2009.03.22 -
DrWeb 4.44.0.09170 2009.03.22 -
eSafe 7.0.17.0 2009.03.19 -
eTrust-Vet 31.6.6409 2009.03.20 -
F-Prot 4.4.4.56 2009.03.21 -
F-Secure 8.0.14470.0 2009.03.22 -
Fortinet 3.117.0.0 2009.03.22 -
GData 19 2009.03.22 Backdoor.Generic.95440
Ikarus T3.1.1.48.0 2009.03.22 -
K7AntiVirus 7.10.678 2009.03.21 -
Kaspersky 7.0.0.125 2009.03.22 -
McAfee 5560 2009.03.21 -
McAfee+Artemis 5560 2009.03.21 -
McAfee-GW-Edition 6.7.6 2009.03.21 -
Microsoft 1.4502 2009.03.22 -
NOD32 3953 2009.03.21 -
Norman 6.00.06 2009.03.20 -
nProtect 2009.1.8.0 2009.03.22 -
Panda 10.0.0.10 2009.03.22 Suspicious file
PCTools 4.4.2.0 2009.03.22 -
Prevx1 V2 2009.03.22 -
Rising 21.21.62.00 2009.03.22 -
Sophos 4.39.0 2009.03.22 -
Sunbelt 3.2.1858.2 2009.03.21 -
Symantec 1.4.4.12 2009.03.22 -
TheHacker 6.3.3.3.287 2009.03.22 Backdoor/Small.ejs
TrendMicro 8.700.0.1004 2009.03.22 -
VBA32 3.12.10.1 2009.03.22 -
ViRobot 2009.3.20.1658 2009.03.20 -
VirusBuster 4.6.5.0 2009.03.21 -
Additional information
File size: 779536 bytes
MD5 : 8db6c5896eaeb91ad687b6f5078d1656
SHA1 : 4107bf4ce80f6481e4565507f1d1a7799718b34a
SHA256: a196deb6e934903770a8f8660f0505223040509788db88cef6 c3f2164a18e1f7
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x3190
timedatestamp.....: 0x4669CEBA (Fri Jun 8 23:48:42 2007)
machinetype.......: 0x14C (Intel I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5B76 0x5C00 6.48 f0f9ee4cc1fa3ba8814268c19dc00cfa
.rdata 0x7000 0x1286 0x1400 5.04 cc69405d249aab53fcf2c537438bba55
.data 0x9000 0x25CB8 0x400 5.05 77db9b8fc4ff1b9da5c345447874e259
.ndata 0x2F000 0xA000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x39000 0x900 0xA00 3.94 d449ea095115ee33a56e10ea1e8a456e
( 8 imports )
> advapi32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> comctl32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> gdi32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> kernel32.dll: SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, CopyFileA, CloseHandle, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, ExitProcess
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> shell32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> user32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> version.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA
( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=8db6c5896eaeb91ad687b6f5078d1656
ssdeep: 12288:7LnHSyS/Q6Z/0pXhLe2i/HWn8cQfebDjFZdcdJRyZAFARzJX3DlWmcvh:vnyyS/PZspX4zJtf2fGdqCGRzFJWmcvh
PEiD : -
packers (Kaspersky): PE_Patch.PECompact, PecBundle, PECompact
RDS : NSRL Reference Data Set
Aallmark
08-18-2009, 12:51 AM
Jotti's Malware Scan
[ArcaVir]
2009-07-04 Trojan.Xeol.h
[G DATA]
2009-07-04 Backdoor.Generic.153537
[A-Squared]
2009-07-04 Found nothing
[Ikarus]
2009-07-04 Backdoor.Win32.Xeol
[Avast! antivirus]
2009-07-03 Found nothing
[Kaspersky Anti-Virus]
2009-07-04 Found nothing
[Grisoft AVG Anti-Virus]
2009-07-03 Found nothing
[ESET NOD32]
2009-07-04 Found nothing
[Avira AntiVir]
2009-07-03 Found nothing
[Norman Virus Control]
2009-07-03 Found nothing
[Softwin BitDefender]
2009-07-04 Backdoor.Generic.153537
[Panda Antivirus]
2009-07-03 Found nothing
[ClamAV]
2009-07-03 Found nothing
[Quick Heal]
2009-07-03 Found nothing
[CPsecure]
2009-07-04 BackDoor.W32.Xeol.g
[Sophos]
2009-07-04 Mal/Generic-A
[Dr.Web]
2009-07-04 Found nothing
[VirusBlokAda VBA32]
2009-07-03 Backdoor.Win32.Xeol.g
[Frisk F-Prot Antivirus]
2009-07-03 Found nothing
[VirusBuster]
2009-07-03 Found nothing
[F-Secure Anti-Virus]
2009-07-04 Found nothing
Aallmark
08-18-2009, 12:53 AM
Virus Total
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.06.02 Backdoor.Win32.Xeol!IK
AhnLab-V3 5.0.0.2 2009.06.01 Win-Trojan/Xeol.131070
AntiVir 7.9.0.180 2009.06.01 -
Antiy-AVL 2.0.3.1 2009.06.02 Backdoor/Win32.Xeol
Authentium 5.1.2.4 2009.06.02 -
Avast 4.8.1335.0 2009.06.01 -
AVG 8.5.0.339 2009.06.01 -
BitDefender 7.2 2009.06.02 Backdoor.Generic.153537
CAT-QuickHeal 10.00 2009.06.01 Backdoor.Xeol.g
ClamAV 0.94.1 2009.06.02 -
Comodo 1199 2009.06.02 Backdoor.Win32.Xeol.g
DrWeb 5.0.0.12182 2009.05.29 -
eSafe 7.0.17.0 2009.06.01 Win32.Backdoor.Xeol
eTrust-Vet 31.6.6534 2009.06.02 -
F-Prot 4.4.4.56 2009.06.02 -
F-Secure 8.0.14470.0 2009.06.02 -
Fortinet 3.117.0.0 2009.06.02 W32/Xeol.G!tr.bdr
GData 19 2009.06.02 Backdoor.Generic.153537
Ikarus T3.1.1.57.0 2009.06.02 -
K7AntiVirus 7.10.749 2009.05.29 Backdoor.Win32.Xeol
Kaspersky 7.0.0.125 2009.06.02 -
McAfee 5633 2009.06.01 Generic BackDoor
McAfee+Artemis 5633 2009.06.01 Generic BackDoor
McAfee-GW-Edition 6.7.6 2009.05.29 -
Microsoft 1.4701 2009.06.01 -
NOD32 4121 2009.06.02 probably a variant of Win32/Agent
Norman 2009.06.01 -
nProtect 2009.1.8.0 2009.06.02 Backdoor/W32.Xeol.131070
Panda 10.0.0.14 2009.06.01 Bck/Agent.DPD
Prevx 3.0 2009.06.02 Medium Risk Malware
Rising 21.32.10.00 2009.06.02 -
Sophos 4.42.0 2009.06.02 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.06.02 Backdoor.Win32.Xeol.g
Symantec 1.4.4.12 2009.06.02 -
TheHacker 6.3.4.3.335 2009.06.01 Backdoor/Xeol.g
TrendMicro 8.950.0.1092 2009.06.01 -
VBA32 3.12.10.6 2009.06.02 Backdoor.Win32.Xeol.g
ViRobot 2009.6.2.1764 2009.06.02 -
VirusBuster 4.6.5.0 2009.06.01 -
Additional information
File size: 131070 bytes
MD5 : 8fbed07473004fdfcc7bff190085cfdf
SHA1 : ae468771d1f7554a220b95693f53713c721eb424
SHA256: 765533cb42cf0ebb760bb149011a30cf488320048f665968e8 93441b5b484c65
PEInfo: PE Structure information<br> <br> ( base data )<br> entrypointaddress.: 0x1000<br> timedatestamp.....: 0x423EE34D (Mon Mar 21 16:07:57 2005)<br> machinetype.......: 0x14C (Intel I386)<br> <br> ( 8 sections )<br> name viradd virsiz rawdsiz ntrpy md5<br> .text 0x1000 0xEB60 0xEC00 6.56 46fc13d7d579fbca3bf99f56467a456d<br>.data 0x10000 0x1544 0x1600 2.86 0d532c565908fecb813ba1fbc1048628<br>.rdata 0x12000 0x15FC 0x1600 4.32 d0196e1545d407e82a8a84fa37bb33d0<br>.bss 0x14000 0x5640 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.edata 0x1A000 0x174 0x200 3.91 26ecc2dfec8635b4e6e72176fb66c376<br>.idata 0x1B000 0x4A8 0x600 3.83 8e00e9a3da5f69ece3390f873b680b0c<br>.rsrc 0x1C000 0x320 0x400 2.71 22d983ac38eafb3e8093a940d23930c2<br>.reloc 0x1D000 0x1328 0x1400 6.60 4f3ccad0231403b13a8043ffcf8d0286<br> <br> ( 0 imports )<br> <br> <br> ( 0 exports )<br>
TrID : File type identification<br>Win32 Executable MS Visual C++ (generic) (76.4%)<br>Win32 Dynamic Link Library (generic) (15.3%)<br>Generic Win/DOS Executable (4.0%)<br>DOS Executable Generic (4.0%)<br>VXD Driver (0.0%)
ssdeep: 3072:M6Vp7HrbIwEPAHGQXdoTrkfsRYHhjudju2fZiiusOChC3 8usHf2fY6En6T2TSCOi:XJwwEPAmofsRYHhjudju2oiusOChC3 8R
Prevx Info: <a href="http://info.prevx.com/aboutprogramtext.asp?PX5=40E45436FED04076FF9B01343 91EFA007ACD3AB4" target="_blank">http://info.prevx.com/aboutprogramtext.asp?PX5=40E45436FED04076FF9B01343 91EFA007ACD3AB4</a>
PEiD : -
CWSandbox: <a href="http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=8fbed07473004fdfcc7bff190085cfdf" target="_blank">http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=8fbed07473004fdfcc7bff190085cfdf</a>
RDS : NSRL Reference Data Set<br>-
Aallmark
08-18-2009, 01:00 AM
I vaguely remember downloading ComboFix as part a spyware guide I did a long time ago. Should I run it again? I'm not sure where the logfile is.
crunchie
08-18-2009, 01:36 AM
When did I say I ran Combofix?
You never, but I can see in your log that it has been on your pc.
You need to uninstall that version of combofix.
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /, it needs to be there.
[list] http://i5.photobucket.com/albums/y153/crunchie1/CF_cleanup.png
====
Please download ComboFix by sUBs from HERE (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or HERE (http://subs.geekstogo.com/ComboFix.exe)
You must download it to and run it from your Desktop
Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Run Combofix ONCE only!!
====
Delete those two files I had you scan too.
Aallmark
08-18-2009, 01:42 AM
I'm getting disk full errors. I'll try to fix it though.
Aallmark
08-20-2009, 04:30 PM
ComboFix 09-08-19.0C - Alex A 08/20/2009 15:05.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1354 [GMT -4:00]
Running from: c:\documents and settings\Alex A.ALEXPC\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Fonts\WPHV07NB.TTF
.
((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 )))))))))))))))))))))))))))))))
.
2009-08-20 19:02 . 2009-08-20 19:02 -------- d-----w- c:\documents and settings\Alex A.ALEXPC\Application Data\SUPERAntiSpyware.com
2009-08-19 15:07 . 2009-08-20 19:02 41312 ----a-w- c:\documents and settings\Alex A.ALEXPC\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 15:07 . 2009-08-19 15:07 -------- d-----w- c:\documents and settings\Alex A.ALEXPC\.housecall6.6
2009-08-17 22:49 . 2009-08-17 22:49 -------- d-----w- c:\documents and settings\Alex A.ALEXPC\Local Settings\Application Data\Mozilla
2009-08-17 22:48 . 2009-08-17 22:48 -------- d-----w- c:\documents and settings\Alex A.ALEXPC\Local Settings\Application Data\Ahead
2009-08-17 22:48 . 2009-08-17 22:48 -------- d--h--w- c:\documents and settings\Alex A.ALEXPC\Application Data\GTek
2009-08-16 05:13 . 2009-08-16 05:13 -------- d-----w- c:\documents and settings\John A\Application Data\Motive
2009-08-16 05:05 . 2009-08-16 05:05 -------- d-----w- c:\documents and settings\John A\Local Settings\Application Data\Mozilla
2009-08-16 05:05 . 2009-08-16 05:05 -------- d-----w- c:\documents and settings\John A\Local Settings\Application Data\Apple Computer
2009-08-16 05:04 . 2009-08-16 05:04 -------- d-----w- c:\documents and settings\John A\Local Settings\Application Data\Ahead
2009-08-16 01:21 . 2009-08-16 01:21 -------- d-sh--w- C:\found.001
2009-08-16 00:13 . 2009-08-16 00:13 -------- d-----w- c:\program files\ACW
2009-08-15 21:36 . 2009-08-15 21:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Corel
2009-08-15 21:18 . 2009-08-15 21:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-08-15 21:17 . 2009-08-15 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-08-15 21:06 . 2008-05-02 14:41 3493888 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe
2009-08-15 21:05 . 2009-08-15 21:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-08-15 18:44 . 2009-08-15 18:44 41312 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-15 18:43 . 2009-08-15 18:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead
2009-08-15 18:43 . 2009-08-15 18:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
2009-08-15 18:21 . 2009-08-15 18:21 -------- d-sh--w- c:\documents and settings\TEMP.ALEXPC.016\IETldCache
2009-08-15 18:21 . 2009-08-16 02:36 -------- d-----w- c:\documents and settings\Maryann.ALEXPC
2009-08-15 18:21 . 2009-08-15 18:21 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.016
2009-08-15 16:59 . 2009-08-20 19:04 -------- d-----w- c:\windows\system32\CatRoot2
2009-08-09 21:56 . 2009-08-12 20:53 -------- d-----w- c:\program files\NOS
2009-08-09 21:56 . 2009-08-12 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-08 16:10 . 2009-08-08 16:59 -------- d-----w- c:\temp\.cleanup.tmp
2009-08-08 00:54 . 2009-08-08 00:55 -------- d-----w- c:\documents and settings\Maryann\.housecall6.6
2009-08-07 23:16 . 2009-08-07 23:16 -------- d--h--w- c:\documents and settings\Maryann\InstallAnywhere
2009-08-07 23:10 . 2009-08-07 23:10 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-07 21:11 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-08-07 21:10 . 2009-08-07 21:10 -------- d-----w- c:\program files\Panda Security
2009-08-06 21:19 . 2009-08-06 21:19 -------- d-sh--w- c:\documents and settings\Guest\IETldCache
2009-08-06 15:46 . 2009-08-06 15:46 -------- d-sh--w- c:\documents and settings\Maryann\PrivacIE
2009-08-06 15:26 . 2009-08-06 15:28 -------- dc-h--w- c:\windows\ie8
2009-08-06 15:17 . 2009-08-06 15:17 -------- d-----w- c:\documents and settings\Maryann\Application Data\Corel
2009-08-06 02:34 . 2009-08-06 02:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-05 03:22 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-05 03:22 . 2009-08-05 03:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 03:22 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-05 02:19 . 2009-08-05 02:19 -------- d-----w- c:\documents and settings\Maryann\Application Data\Malwarebytes
2009-08-05 02:12 . 2009-08-05 02:12 -------- d-sh--w- c:\documents and settings\Maryann\IECompatCache
2009-08-04 15:33 . 2009-08-04 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-08-04 15:10 . 2009-08-04 15:10 -------- d-----w- c:\documents and settings\Maryann\Application Data\CyberLink
2009-08-04 15:09 . 2009-08-04 15:10 -------- d-----w- c:\documents and settings\Maryann\Local Settings\Application Data\PowerDVD
2009-08-04 09:00 . 2009-08-16 00:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-08-04 05:01 . 2009-08-04 05:01 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-04 05:01 . 2009-08-04 05:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-04 05:01 . 2009-08-04 05:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-04 04:57 . 2009-08-04 05:03 -------- dc----w- C:\HJT
2009-08-03 07:23 . 2009-08-03 07:26 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.015
2009-08-02 06:28 . 2009-08-02 06:29 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.014
2009-08-02 06:21 . 2009-08-02 06:21 -------- d-sh--w- c:\documents and settings\TEMP.ALEXPC.012\IETldCache
2009-08-02 06:21 . 2009-08-02 06:21 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.012
2009-07-30 23:55 . 2009-07-30 23:55 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.013
2009-07-30 21:10 . 2009-07-30 21:10 -------- d-sh--w- c:\documents and settings\TEMP.ALEXPC.011\IETldCache
2009-07-30 21:09 . 2009-07-30 21:10 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.011
2009-07-30 17:48 . 2009-08-15 20:00 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.010
2009-07-30 17:48 . 2009-07-30 17:48 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.009
2009-07-30 17:15 . 2009-07-30 17:15 -------- d-sh--w- c:\documents and settings\Alex.ALEXPC\IETldCache
2009-07-30 17:15 . 2009-07-30 17:31 -------- d-----w- c:\documents and settings\Alex.ALEXPC.000
2009-07-30 17:14 . 2009-07-30 17:15 -------- d-----w- c:\documents and settings\Alex.ALEXPC
2009-07-30 17:10 . 2009-07-30 17:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCach e
2009-07-29 06:46 . 2009-07-29 06:46 41312 ----a-w- c:\documents and settings\Maryann\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-27 21:51 . 2009-07-27 21:52 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.008
2009-07-25 05:25 . 2009-07-25 05:25 -------- d-sh--w- c:\documents and settings\Maryann\IETldCache
2009-07-24 21:08 . 2009-07-24 21:08 -------- d-sh--w- C:\found.000
2009-07-24 20:17 . 2009-07-24 20:17 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.007
2009-07-24 20:16 . 2009-07-24 20:16 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.006
2009-07-23 14:34 . 2009-07-23 14:34 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.005
2009-07-23 07:52 . 2009-07-23 07:52 -------- dc----w- C:\Verizon
2009-07-23 07:52 . 2009-07-23 07:52 -------- d-sh--w- c:\documents and settings\TEMP.ALEXPC.004\IETldCache
2009-07-23 07:52 . 2009-07-23 07:52 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.004
2009-07-23 03:47 . 2009-07-23 03:47 -------- d-sh--w- c:\documents and settings\TEMP.ALEXPC.003\IETldCache
2009-07-23 03:47 . 2009-07-23 03:47 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.003
2009-07-23 02:27 . 2009-07-23 02:27 -------- d-sh--w- c:\documents and settings\TEMP.ALEXPC.002\IETldCache
2009-07-23 02:27 . 2009-07-23 02:27 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.002
Aallmark
08-20-2009, 04:31 PM
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-08-20 04:33 . 2008-01-08 01:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-17 22:48 . 2009-08-17 22:48 -------- d-----w- c:\documents and settings\Alex A.ALEXPC\Application Data\Verizon
2009-08-17 03:42 . 2008-09-27 13:06 -------- d-----w- c:\program files\RegScrubXP
2009-08-16 05:04 . 2009-08-16 05:04 -------- d--h--w- c:\documents and settings\John A\Application Data\GTek
2009-08-16 05:04 . 2009-08-16 05:04 -------- d-----w- c:\documents and settings\John A\Application Data\Verizon
2009-08-15 22:20 . 2005-12-30 21:51 8354 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-15 22:20 . 2005-12-30 21:51 104 --sh--r- c:\windows\system32\6D78518A54.sys
2009-08-10 21:25 . 2005-12-28 01:21 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-06 14:43 . 2005-12-22 16:32 -------- d-----w- c:\program files\Real
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 02:15 . 2005-12-22 16:28 -------- d-----w- c:\program files\Modem Helper
2009-08-04 21:37 . 2004-08-10 19:03 78659 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-22 00:22 . 2005-12-22 16:42 -------- d-----w- c:\program files\Google
2009-07-22 00:07 . 2007-11-13 00:54 -------- d-----w- c:\program files\Canon
2009-07-19 01:00 . 2008-09-23 05:10 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-17 19:01 . 2004-08-10 18:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-11 05:32 . 2007-10-11 19:40 -------- d-----w- c:\program files\Verizon
2009-07-11 04:51 . 2005-12-31 00:58 41312 ----a-w- c:\documents and settings\Alex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-11 04:22 . 2007-05-25 21:08 -------- d-----w- c:\documents and settings\Alex\Application Data\Move Networks
2009-07-11 04:21 . 2005-12-22 16:30 -------- d-----w- c:\program files\MUSICMATCH
2009-07-10 03:26 . 2005-12-22 16:35 -------- d-----w- c:\program files\Common Files\Corel
2009-07-10 03:26 . 2005-12-28 01:32 -------- d-----w- c:\documents and settings\Alex\Application Data\Corel
2009-07-10 03:26 . 2005-12-22 16:39 -------- d-----w- c:\program files\Corel
2009-07-10 03:22 . 2008-02-07 08:00 -------- d-----w- c:\program files\Yahoo!
2009-07-09 20:27 . 2009-07-08 17:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-09 01:50 . 2007-04-01 02:25 -------- d-----w- c:\program files\LimeWire
2009-07-09 01:44 . 2008-09-14 02:46 -------- d-----w- c:\program files\Safari
2009-07-08 17:32 . 2009-07-08 17:32 -------- d-----w- c:\program files\Trojan Remover
2009-07-08 17:32 . 2009-07-08 17:29 -------- d-----w- c:\documents and settings\Alex\Application Data\Simply Super Software
2009-07-08 17:29 . 2009-07-08 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-07-08 05:38 . 2006-01-02 18:49 55424 ----a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-07 17:00 . 2009-07-07 17:00 -------- d-----w- c:\program files\CleanUp!
2009-07-07 16:49 . 2009-07-07 16:49 -------- d-----w- c:\program files\MSConfig CleanUp
2009-07-07 03:13 . 2009-07-07 03:13 -------- d-----w- c:\documents and settings\Alex\Application Data\Malwarebytes
2009-07-06 15:53 . 2005-12-22 16:31 -------- d-----w- c:\program files\Common Files\AOL
2009-07-06 15:40 . 2005-12-22 16:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 15:01 . 2009-07-06 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-07-06 14:55 . 2006-07-11 23:08 -------- d-----w- c:\documents and settings\Alex\Application Data\Atari
2009-07-06 14:52 . 2006-06-19 01:03 -------- d-----w- c:\program files\EPSON
2009-07-06 14:49 . 2009-01-25 02:54 -------- d-----w- c:\program files\VRC
2009-07-06 14:48 . 2009-01-10 03:35 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2009-07-06 14:47 . 2008-02-03 17:35 -------- d-----w- c:\program files\ASRC
2009-07-06 03:26 . 2005-12-22 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-07-06 02:44 . 2009-07-06 02:44 -------- d-----w- c:\program files\CCleaner
2009-07-05 04:28 . 2008-09-24 00:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-05 04:28 . 2009-07-05 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\TomTom
2009-07-05 04:28 . 2009-07-05 04:28 -------- d-----w- c:\documents and settings\Alex\Application Data\InstallShield
2009-07-03 19:27 . 2009-07-03 19:27 -------- d-----w- c:\documents and settings\Alex\Application Data\SUPERAntiSpyware.com
2009-07-03 17:09 . 2004-08-10 18:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 01:55 . 2008-09-23 05:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-25 01:55 . 2008-09-23 05:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-22 21:05 . 2009-07-09 20:27 3015544 ----a-w- c:\documents and settings\Alex\Application Data\Simply Super Software\Trojan Remover\oij3.exe
2009-06-16 14:36 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 23:10 . 2009-06-12 23:10 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-10 14:13 . 2004-08-10 18:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-03 19:09 . 2004-08-10 18:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-04-04 20:04 . 2008-04-04 20:04 8 --sh--r- c:\windows\system32\548A51786D.sys
.
Aallmark
08-20-2009, 04:34 PM
[-] 2008-04-14 00:12 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\system32\regsvc.dll
[-] 2008-04-14 00:12 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\system32\dllcache\regsvc.dll
[-] 2006-12-19 21:50 135168 53D9184A21C5CBF600D918E51EF3A7E5 c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
[-] 2006-12-19 21:52 134656 6815DEF9B810AEFAC107EEAF72DA6F82 c:\windows\$NtServicePackUninstall$\shsvcs.dll
[-] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\ServicePackFiles\i386\shsvcs.dll
[-] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\system32\shsvcs.dll
[-] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\system32\dllcache\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-06-06 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-06-01 1059720]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
c:\documents and settings\John\Start Menu\Programs\Startup\
BounceBack Launcher.lnk - c:\program files\CMS Products\BounceBack Express\BBLauncher.exe [2008-9-25 93888]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 20:28 352256 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-25 01:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [8/7/2009 5:11 PM 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/23/2008 1:10 AM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/23/2008 1:11 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2008 2:07 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/23/2008 1:10 AM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/23/2008 1:10 AM 298776]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [6/7/2009 12:23 PM 151552]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [8/10/2004 2:50 PM 5120]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\driv ers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\driv ers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
Aallmark
08-20-2009, 04:52 PM
Ok this is weird but the browser crashed a couple times when I was posting this and now I can't find where I was in the .txt file at all. It doesn't seem to exist. I've tried to use Ctrl + F but it's not there.
crunchie
08-20-2009, 05:39 PM
The combofix log can be found in C:\qoobox
==
Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
====
Go to Start | Run and type in sfc /scannow and hit the Ok button. Insert your CD if/when requested.
====
When done, see how the pc is and let us know.
Aallmark
08-20-2009, 06:10 PM
I'll just post the log again.
Aallmark
08-20-2009, 06:50 PM
ComboFix 09-08-19.0C - Alex A 08/20/2009 15:05.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1354 [GMT -4:00]
Running from: c:\documents and settings\Alex A.ALEXPC\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Fonts\WPHV07NB.TTF
.
((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 )))))))))))))))))))))))))))))))
.
2009-08-20 19:02 . 2009-08-20 19:02 -------- d-----w- c:\documents and settings\Alex A.ALEXPC\Application Data\SUPERAntiSpyware.com
2009-08-19 15:07 . 2009-08-20 19:02 41312 ----a-w- c:\documents and settings\Alex A.ALEXPC\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 15:07 . 2009-08-19 15:07 -------- d-----w- c:\documents and settings\Alex A.ALEXPC\.housecall6.6
2009-08-17 22:49 . 2009-08-17 22:49 -------- d-----w- c:\documents and settings\Alex A.ALEXPC\Local Settings\Application Data\Mozilla
2009-08-17 22:48 . 2009-08-17 22:48 -------- d-----w- c:\documents and settings\Alex A.ALEXPC\Local Settings\Application Data\Ahead
2009-08-17 22:48 . 2009-08-17 22:48 -------- d--h--w- c:\documents and settings\Alex A.ALEXPC\Application Data\GTek
2009-08-16 05:13 . 2009-08-16 05:13 -------- d-----w- c:\documents and settings\John A\Application Data\Motive
2009-08-16 05:05 . 2009-08-16 05:05 -------- d-----w- c:\documents and settings\John A\Local Settings\Application Data\Mozilla
2009-08-16 05:05 . 2009-08-16 05:05 -------- d-----w- c:\documents and settings\John A\Local Settings\Application Data\Apple Computer
2009-08-16 05:04 . 2009-08-16 05:04 -------- d-----w- c:\documents and settings\John A\Local Settings\Application Data\Ahead
2009-08-16 01:21 . 2009-08-16 01:21 -------- d-sh--w- C:\found.001
2009-08-16 00:13 . 2009-08-16 00:13 -------- d-----w- c:\program files\ACW
2009-08-15 21:36 . 2009-08-15 21:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Corel
2009-08-15 21:18 . 2009-08-15 21:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-08-15 21:17 . 2009-08-15 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-08-15 21:06 . 2008-05-02 14:41 3493888 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe
2009-08-15 21:05 . 2009-08-15 21:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-08-15 18:44 . 2009-08-15 18:44 41312 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-15 18:43 . 2009-08-15 18:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead
2009-08-15 18:43 . 2009-08-15 18:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
2009-08-15 18:21 . 2009-08-15 18:21 -------- d-sh--w- c:\documents and settings\TEMP.ALEXPC.016\IETldCache
2009-08-15 18:21 . 2009-08-16 02:36 -------- d-----w- c:\documents and settings\Maryann.ALEXPC
2009-08-15 18:21 . 2009-08-15 18:21 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.016
2009-08-15 16:59 . 2009-08-20 19:04 -------- d-----w- c:\windows\system32\CatRoot2
2009-08-09 21:56 . 2009-08-12 20:53 -------- d-----w- c:\program files\NOS
2009-08-09 21:56 . 2009-08-12 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-08 16:10 . 2009-08-08 16:59 -------- d-----w- c:\temp\.cleanup.tmp
2009-08-08 00:54 . 2009-08-08 00:55 -------- d-----w- c:\documents and settings\Maryann\.housecall6.6
2009-08-07 23:16 . 2009-08-07 23:16 -------- d--h--w- c:\documents and settings\Maryann\InstallAnywhere
2009-08-07 23:10 . 2009-08-07 23:10 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-07 21:11 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-08-07 21:10 . 2009-08-07 21:10 -------- d-----w- c:\program files\Panda Security
2009-08-06 21:19 . 2009-08-06 21:19 -------- d-sh--w- c:\documents and settings\Guest\IETldCache
2009-08-06 15:46 . 2009-08-06 15:46 -------- d-sh--w- c:\documents and settings\Maryann\PrivacIE
2009-08-06 15:26 . 2009-08-06 15:28 -------- dc-h--w- c:\windows\ie8
2009-08-06 15:17 . 2009-08-06 15:17 -------- d-----w- c:\documents and settings\Maryann\Application Data\Corel
2009-08-06 02:34 . 2009-08-06 02:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-05 03:22 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-05 03:22 . 2009-08-05 03:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 03:22 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-05 02:19 . 2009-08-05 02:19 -------- d-----w- c:\documents and settings\Maryann\Application Data\Malwarebytes
2009-08-05 02:12 . 2009-08-05 02:12 -------- d-sh--w- c:\documents and settings\Maryann\IECompatCache
2009-08-04 15:33 . 2009-08-04 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-08-04 15:10 . 2009-08-04 15:10 -------- d-----w- c:\documents and settings\Maryann\Application Data\CyberLink
2009-08-04 15:09 . 2009-08-04 15:10 -------- d-----w- c:\documents and settings\Maryann\Local Settings\Application Data\PowerDVD
2009-08-04 09:00 . 2009-08-16 00:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-08-04 05:01 . 2009-08-04 05:01 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-04 05:01 . 2009-08-04 05:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-04 05:01 . 2009-08-04 05:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-04 04:57 . 2009-08-04 05:03 -------- dc----w- C:\HJT
2009-08-03 07:23 . 2009-08-03 07:26 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.015
2009-08-02 06:28 . 2009-08-02 06:29 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.014
2009-08-02 06:21 . 2009-08-02 06:21 -------- d-sh--w- c:\documents and settings\TEMP.ALEXPC.012\IETldCache
2009-08-02 06:21 . 2009-08-02 06:21 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.012
2009-07-30 23:55 . 2009-07-30 23:55 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.013
2009-07-30 21:10 . 2009-07-30 21:10 -------- d-sh--w- c:\documents and settings\TEMP.ALEXPC.011\IETldCache
2009-07-30 21:09 . 2009-07-30 21:10 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.011
2009-07-30 17:48 . 2009-08-15 20:00 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.010
2009-07-30 17:48 . 2009-07-30 17:48 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.009
2009-07-30 17:15 . 2009-07-30 17:15 -------- d-sh--w- c:\documents and settings\Alex.ALEXPC\IETldCache
2009-07-30 17:15 . 2009-07-30 17:31 -------- d-----w- c:\documents and settings\Alex.ALEXPC.000
2009-07-30 17:14 . 2009-07-30 17:15 -------- d-----w- c:\documents and settings\Alex.ALEXPC
2009-07-30 17:10 . 2009-07-30 17:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCach e
2009-07-29 06:46 . 2009-07-29 06:46 41312 ----a-w- c:\documents and settings\Maryann\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-27 21:51 . 2009-07-27 21:52 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.008
2009-07-25 05:25 . 2009-07-25 05:25 -------- d-sh--w- c:\documents and settings\Maryann\IETldCache
2009-07-24 21:08 . 2009-07-24 21:08 -------- d-sh--w- C:\found.000
2009-07-24 20:17 . 2009-07-24 20:17 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.007
2009-07-24 20:16 . 2009-07-24 20:16 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.006
2009-07-23 14:34 . 2009-07-23 14:34 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.005
2009-07-23 07:52 . 2009-07-23 07:52 -------- dc----w- C:\Verizon
2009-07-23 07:52 . 2009-07-23 07:52 -------- d-sh--w- c:\documents and settings\TEMP.ALEXPC.004\IETldCache
2009-07-23 07:52 . 2009-07-23 07:52 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.004
2009-07-23 03:47 . 2009-07-23 03:47 -------- d-sh--w- c:\documents and settings\TEMP.ALEXPC.003\IETldCache
2009-07-23 03:47 . 2009-07-23 03:47 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.003
2009-07-23 02:27 . 2009-07-23 02:27 -------- d-sh--w- c:\documents and settings\TEMP.ALEXPC.002\IETldCache
2009-07-23 02:27 . 2009-07-23 02:27 -------- d-----w- c:\documents and settings\TEMP.ALEXPC.002
Aallmark
08-20-2009, 06:51 PM
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-08-20 04:33 . 2008-01-08 01:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-17 22:48 . 2009-08-17 22:48 -------- d-----w- c:\documents and settings\Alex A.ALEXPC\Application Data\Verizon
2009-08-17 03:42 . 2008-09-27 13:06 -------- d-----w- c:\program files\RegScrubXP
2009-08-16 05:04 . 2009-08-16 05:04 -------- d--h--w- c:\documents and settings\John A\Application Data\GTek
2009-08-16 05:04 . 2009-08-16 05:04 -------- d-----w- c:\documents and settings\John A\Application Data\Verizon
2009-08-15 22:20 . 2005-12-30 21:51 8354 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-15 22:20 . 2005-12-30 21:51 104 --sh--r- c:\windows\system32\6D78518A54.sys
2009-08-10 21:25 . 2005-12-28 01:21 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-06 14:43 . 2005-12-22 16:32 -------- d-----w- c:\program files\Real
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 02:15 . 2005-12-22 16:28 -------- d-----w- c:\program files\Modem Helper
2009-08-04 21:37 . 2004-08-10 19:03 78659 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-22 00:22 . 2005-12-22 16:42 -------- d-----w- c:\program files\Google
2009-07-22 00:07 . 2007-11-13 00:54 -------- d-----w- c:\program files\Canon
2009-07-19 01:00 . 2008-09-23 05:10 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-17 19:01 . 2004-08-10 18:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-11 05:32 . 2007-10-11 19:40 -------- d-----w- c:\program files\Verizon
2009-07-11 04:51 . 2005-12-31 00:58 41312 ----a-w- c:\documents and settings\Alex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-11 04:22 . 2007-05-25 21:08 -------- d-----w- c:\documents and settings\Alex\Application Data\Move Networks
2009-07-11 04:21 . 2005-12-22 16:30 -------- d-----w- c:\program files\MUSICMATCH
2009-07-10 03:26 . 2005-12-22 16:35 -------- d-----w- c:\program files\Common Files\Corel
2009-07-10 03:26 . 2005-12-28 01:32 -------- d-----w- c:\documents and settings\Alex\Application Data\Corel
2009-07-10 03:26 . 2005-12-22 16:39 -------- d-----w- c:\program files\Corel
2009-07-10 03:22 . 2008-02-07 08:00 -------- d-----w- c:\program files\Yahoo!
2009-07-09 20:27 . 2009-07-08 17:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-09 01:50 . 2007-04-01 02:25 -------- d-----w- c:\program files\LimeWire
2009-07-09 01:44 . 2008-09-14 02:46 -------- d-----w- c:\program files\Safari
2009-07-08 17:32 . 2009-07-08 17:32 -------- d-----w- c:\program files\Trojan Remover
2009-07-08 17:32 . 2009-07-08 17:29 -------- d-----w- c:\documents and settings\Alex\Application Data\Simply Super Software
2009-07-08 17:29 . 2009-07-08 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-07-08 05:38 . 2006-01-02 18:49 55424 ----a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-07 17:00 . 2009-07-07 17:00 -------- d-----w- c:\program files\CleanUp!
2009-07-07 16:49 . 2009-07-07 16:49 -------- d-----w- c:\program files\MSConfig CleanUp
2009-07-07 03:13 . 2009-07-07 03:13 -------- d-----w- c:\documents and settings\Alex\Application Data\Malwarebytes
2009-07-06 15:53 . 2005-12-22 16:31 -------- d-----w- c:\program files\Common Files\AOL
2009-07-06 15:40 . 2005-12-22 16:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 15:01 . 2009-07-06 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-07-06 14:55 . 2006-07-11 23:08 -------- d-----w- c:\documents and settings\Alex\Application Data\Atari
2009-07-06 14:52 . 2006-06-19 01:03 -------- d-----w- c:\program files\EPSON
2009-07-06 14:49 . 2009-01-25 02:54 -------- d-----w- c:\program files\VRC
2009-07-06 14:48 . 2009-01-10 03:35 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2009-07-06 14:47 . 2008-02-03 17:35 -------- d-----w- c:\program files\ASRC
2009-07-06 03:26 . 2005-12-22 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-07-06 02:44 . 2009-07-06 02:44 -------- d-----w- c:\program files\CCleaner
2009-07-05 04:28 . 2008-09-24 00:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-05 04:28 . 2009-07-05 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\TomTom
2009-07-05 04:28 . 2009-07-05 04:28 -------- d-----w- c:\documents and settings\Alex\Application Data\InstallShield
2009-07-03 19:27 . 2009-07-03 19:27 -------- d-----w- c:\documents and settings\Alex\Application Data\SUPERAntiSpyware.com
2009-07-03 17:09 . 2004-08-10 18:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 01:55 . 2008-09-23 05:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-25 01:55 . 2008-09-23 05:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-22 21:05 . 2009-07-09 20:27 3015544 ----a-w- c:\documents and settings\Alex\Application Data\Simply Super Software\Trojan Remover\oij3.exe
2009-06-16 14:36 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 23:10 . 2009-06-12 23:10 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-10 14:13 . 2004-08-10 18:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-03 19:09 . 2004-08-10 18:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-04-04 20:04 . 2008-04-04 20:04 8 --sh--r- c:\windows\system32\548A51786D.sys
.
Aallmark
08-20-2009, 06:57 PM
------- Sigcheck -------
[-] 2004-08-04 11:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\dllcache\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\dllcache\cache\svchost.exe
[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\dllcache\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\dllcache\cache\user32.dll
[-] 2004-08-04 11:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\dllcache\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\dllcache\cache\ws2_32.dll
[-] 2004-08-04 11:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\dllcache\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\dllcache\cache\winlogon.exe
[-] 2004-08-04 11:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\dllcache\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\dllcache\cache\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys
[-] 2004-08-04 11:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\dllcache\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\dllcache\cache\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\dllcache\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\dllcache\cache\explorer.exe
[-] 2004-08-04 11:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\dllcache\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\dllcache\cache\lsass.exe
[-] 2004-08-04 11:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\dllcache\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\dllcache\cache\ctfmon.exe
[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\dllcache\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\dllcache\cache\spoolsv.exe
[-] 2004-08-04 11:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\dllcache\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\dllcache\cache\userinit.exe
[-] 2004-08-04 11:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\dllcache\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\dllcache\cache\termsrv.dll
Aallmark
08-20-2009, 07:00 PM
[-] 2004-08-04 11:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\dllcache\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\dllcache\cache\powrprof.dll
[-] 2004-08-04 11:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\dllcache\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\dllcache\cache\imm32.dll
[-] 2004-08-04 04:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\dllcache\kbdclass.sys
[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\dllcache\cache\kbdclass.sys
[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys
[-] 2004-08-04 11:00 792064 6728270CB7DBB776ED086F5AC4C82310 c:\windows\$NtServicePackUninstall$\comres.dll
[-] 2008-04-14 00:11 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\ServicePackFiles\i386\comres.dll
[-] 2008-04-14 00:11 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\system32\comres.dll
[-] 2008-04-14 00:11 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\system32\dllcache\comres.dll
[-] 2004-08-04 11:00 22016 74D66B3DE265E8789153414E75175F26 c:\windows\$NtServicePackUninstall$\lpk.dll
[-] 2008-04-14 00:11 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\ServicePackFiles\i386\lpk.dll
[-] 2008-04-14 00:11 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\system32\lpk.dll
[-] 2008-04-14 00:11 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\system32\dllcache\lpk.dll
[-] 2004-08-04 11:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\dllcache\beep.sys
[-] 2004-08-04 11:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\drivers\beep.sys
[-] 2004-08-04 11:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\dllcache\null.sys
[-] 2004-08-04 11:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\drivers\null.sys
[-] 2006-02-15 00:30 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$NtServicePackUninstall$\aec.sys
[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\ServicePackFiles\i386\aec.sys
[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\system32\dllcache\aec.sys
[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\system32\drivers\aec.sys
[-] 2006-11-01 19:17 927504 925F8B61ED301A317BA850EBEECBDAA0 c:\windows\$NtServicePackUninstall$\mfc40u.dll
[-] 2008-04-14 00:11 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\ServicePackFiles\i386\mfc40u.dll
[-] 2008-04-14 00:11 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\system32\mfc40u.dll
[-] 2008-04-14 00:11 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\system32\dllcache\mfc40u.dll
[-] 2004-08-04 11:00 33792 95FD808E4AC22ABA025A7B3EAC0375D2 c:\windows\$NtServicePackUninstall$\msgsvc.dll
[-] 2008-04-14 00:11 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\ServicePackFiles\i386\msgsvc.dll
[-] 2008-04-14 00:11 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\system32\msgsvc.dll
[-] 2008-04-14 00:11 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\system32\dllcache\msgsvc.dll
[-] 2006-08-25 15:45 617472 B0124CB21D28B1C9F678B566B6B57D92 c:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2008-04-14 00:11 617472 06F247492BC786CE5C24A23E178C711A c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2008-04-14 00:11 617472 06F247492BC786CE5C24A23E178C711A c:\windows\system32\comctl32.dll
[-] 2008-04-14 00:11 617472 06F247492BC786CE5C24A23E178C711A c:\windows\system32\dllcache\comctl32.dll
[-] 2008-04-14 00:12 1054208 BD38D1EBE24A46BD3EDA059560AFBA12 c:\windows\WinSxS\InstallTemp\1465531\comctl32.dll
[-] 2004-08-04 11:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2004-08-04 11:00 1050624 5AF68A5E44734A082442668E9C787743 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
[-] 2006-08-25 15:45 1054208 C4E80875C1CF1222FC5EFD0314AE5C01 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
[-] 2008-04-14 09:42 1054208 BD38D1EBE24A46BD3EDA059560AFBA12 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
Aallmark
08-20-2009, 07:00 PM
[-] 2004-08-04 11:00 11648 9859C0F6936E723E4892D7141B1327D5 c:\windows\system32\dllcache\acpiec.sys
[-] 2004-08-04 11:00 11648 9859C0F6936E723E4892D7141B1327D5 c:\windows\system32\drivers\acpiec.sys
[-] 2004-08-04 11:00 5120 E8A12A12EA9088B4327D49EDCA3ADD3E c:\windows\$NtServicePackUninstall$\sfc.dll
[-] 2008-04-14 00:12 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\ServicePackFiles\i386\sfc.dll
[-] 2008-04-14 00:12 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\system32\sfc.dll
[-] 2008-04-14 00:12 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\system32\dllcache\sfc.dll
[-] 2004-08-04 11:00 407040 96353FCECBA774BB8DA74A1C6507015A c:\windows\$NtServicePackUninstall$\netlogon.dll
[-] 2008-04-14 00:12 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\ServicePackFiles\i386\netlogon.dll
[-] 2008-04-14 00:12 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\system32\netlogon.dll
[-] 2008-04-14 00:12 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\system32\dllcache\netlogon.dll
[-] 2004-08-04 11:00 382464 2C69EC7E5A311334D10DD95F338FCCEA c:\windows\$NtServicePackUninstall$\qmgr.dll
[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\ServicePackFiles\i386\qmgr.dll
[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\qmgr.dll
[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\bits\qmgr.dll
[-] 2008-04-14 00:12 409088 574738F61FCA2935F5265DC4E5691314 c:\windows\system32\dllcache\qmgr.dll
[-] 2004-08-04 11:00 180224 0F78E27F563F2AAF74B91A49E2ABF19A c:\windows\$NtServicePackUninstall$\scecli.dll
[-] 2008-04-14 00:12 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\ServicePackFiles\i386\scecli.dll
[-] 2008-04-14 00:12 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\system32\scecli.dll
[-] 2008-04-14 00:12 181248 A86BB5E61BF3E39B62AB4C7E7085A084 c:\windows\system32\dllcache\scecli.dll
[-] 2004-08-04 11:00 55808 82B24CB70E5944E6E34662205A2A5B78 c:\windows\$NtServicePackUninstall$\eventlog.dll
[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\system32\eventlog.dll
[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\system32\dllcache\eventlog.dll
[-] 2004-08-04 11:00 14336 02000ABF34AF4C218C35D257024807D6 c:\windows\$NtServicePackUninstall$\asyncmac.sys
[-] 2008-04-13 18:57 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\ServicePackFiles\i386\asyncmac.sys
[-] 2008-04-13 18:57 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\system32\dllcache\asyncmac.sys
[-] 2008-04-13 18:57 14336 B153AFFAC761E7F5FCFA822B9C4E97BC c:\windows\system32\drivers\asyncmac.sys
[-] 2007-02-09 11:23 574976 05AB81909514BFD69CBB1F2C147CF6B9 c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
[-] 2007-02-09 11:10 574464 19A811EF5F1ED5C926A028CE107FF1AF c:\windows\$NtServicePackUninstall$\ntfs.sys
[-] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\ServicePackFiles\i386\ntfs.sys
[-] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\system32\dllcache\ntfs.sys
[-] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\system32\drivers\ntfs.sys
[-] 2005-01-28 19:44 25088 140EF97B64F560FD78643CAE2CDAD838 c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2005-01-28 19:44 25088 140EF97B64F560FD78643CAE2CDAD838 c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2004-08-04 11:00 52224 C086483E3DBA8C1C0A687EC8D5B3D4C1 c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
[-] 2006-10-19 02:47 27136 C51B4A5C05A5475708E3C81C7765B71D c:\windows\system32\mspmsnsv.dll
[-] 2006-10-19 02:47 27136 C51B4A5C05A5475708E3C81C7765B71D c:\windows\system32\dllcache\mspmsnsv.dll
[-] 2004-08-04 11:00 129536 EEF46DAB68229A14DA3D8E73C99E2959 c:\windows\$NtServicePackUninstall$\xmlprov.dll
[-] 2008-04-14 00:12 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\ServicePackFiles\i386\xmlprov.dll
[-] 2008-04-14 00:12 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\system32\xmlprov.dll
[-] 2008-04-14 00:12 129024 295D21F14C335B53CB8154E5B1F892B9 c:\windows\system32\dllcache\xmlprov.dll
[-] 2004-08-04 11:00 60416 10654F9DDCEA9C46CFB77554231BE73B c:\windows\$NtServicePackUninstall$\cryptsvc.dll
[-] 2008-04-14 00:11 62464 3D4E199942E29207970E04315D02AD3B c:\windows\ServicePackFiles\i386\cryptsvc.dll
[-] 2008-04-14 00:11 62464 3D4E199942E29207970E04315D02AD3B c:\windows\system32\cryptsvc.dll
[-] 2008-04-14 00:11 62464 3D4E199942E29207970E04315D02AD3B c:\windows\system32\dllcache\cryptsvc.dll
[-] 2004-08-04 11:00 77312 E3CFCCDDA4EDD1D0DC9168B2E18F27B8 c:\windows\$NtServicePackUninstall$\browser.dll
[-] 2008-04-14 00:11 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\ServicePackFiles\i386\browser.dll
[-] 2008-04-14 00:11 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\system32\browser.dll
[-] 2008-04-14 00:11 77824 A06CE3399D16DB864F55FAEB1F1927A9 c:\windows\system32\dllcache\browser.dll
[-] 2005-07-08 16:28 249344 1418A3A6E76E5A2E3F5E43866E793A8B c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 16:27 249344 FB78839B36025AA286A51289ED28B73E c:\windows\$NtServicePackUninstall$\tapisrv.dll
[-] 2008-04-14 00:12 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\ServicePackFiles\i386\tapisrv.dll
[-] 2008-04-14 00:12 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\system32\tapisrv.dll
[-] 2008-04-14 00:12 249856 3CB78C17BB664637787C9A1C98F79C38 c:\windows\system32\dllcache\tapisrv.dll
[-] 2005-08-22 18:24 197632 3516D8A18B36784B1005B950B84232E1 c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
[-] 2005-08-22 18:29 197632 36739B39267914BA69AD0610A0299732 c:\windows\$NtServicePackUninstall$\netman.dll
[-] 2008-04-14 00:12 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\ServicePackFiles\i386\netman.dll
[-] 2008-04-14 00:12 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\system32\netman.dll
[-] 2008-04-14 00:12 198144 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE c:\windows\system32\dllcache\netman.dll
[-] 2004-08-04 11:00 71680 4B8D61792F7175BED48859CC18CE4E38 c:\windows\$NtServicePackUninstall$\ssdpsrv.dll
[-] 2008-04-14 00:12 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\ServicePackFiles\i386\ssdpsrv.dll
[-] 2008-04-14 00:12 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\system32\ssdpsrv.dll
[-] 2008-04-14 00:12 71680 0A5679B3714EDAB99E357057EE88FCA6 c:\windows\system32\dllcache\ssdpsrv.dll
[-] 2007-02-05 20:19 185344 36ACA6CDC19C95FF468A1426EB7F32F0 c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll
[-] 2007-02-05 20:17 185344 ACA5D98663D879C6BAAFCEA7E2F1B710 c:\windows\$NtServicePackUninstall$\upnphost.dll
[-] 2008-04-14 00:12 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\ServicePackFiles\i386\upnphost.dll
[-] 2008-04-14 00:12 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\system32\upnphost.dll
[-] 2008-04-14 00:12 185856 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 c:\windows\system32\dllcache\upnphost.dll
[-] 2004-08-04 11:00 170496 92BDF74F12D6CBEC43C94D4B7F804838 c:\windows\$NtServicePackUninstall$\srsvc.dll
[-] 2008-04-14 00:12 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\ServicePackFiles\i386\srsvc.dll
[-] 2008-04-14 00:12 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\system32\srsvc.dll
[-] 2008-04-14 00:12 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\system32\dllcache\srsvc.dll
[-] 2004-08-04 11:00 13824 49911DD39E023BB6C45E4E436CFBD297 c:\windows\$NtServicePackUninstall$\wscntfy.exe
[-] 2008-04-14 00:12 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2008-04-14 00:12 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\system32\wscntfy.exe
[-] 2008-04-14 00:12 13824 F92E1076C42FCD6DB3D72D8CFE9816D5 c:\windows\system32\dllcache\wscntfy.exe
[-] 2004-08-04 11:00 435200 B62F29C00AC55A761B2E45877D85EA0F c:\windows\$NtServicePackUninstall$\ntmssvc.dll
[-] 2008-04-14 00:12 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\ServicePackFiles\i386\ntmssvc.dll
[-] 2008-04-14 00:12 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\system32\
Aallmark
08-20-2009, 07:01 PM
[-] 2008-04-14 00:12 435200 156F64A3345BD23C600655FB4D10BC08 c:\windows\system32\dllcache\ntmssvc.dll
[-] 2004-08-04 11:00 89088 44DB7A9BDD2FB58747D123FBF1D35ADB c:\windows\$NtServicePackUninstall$\rasauto.dll
[-] 2008-04-14 00:12 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\ServicePackFiles\i386\rasauto.dll
[-] 2008-04-14 00:12 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\system32\rasauto.dll
[-] 2008-04-14 00:12 88576 AD188BE7BDF94E8DF4CA0A55C00A5073 c:\windows\system32\dllcache\rasauto.dll
[-] 2004-08-04 11:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\dllcache\sfcfiles.dll
[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\dllcache\cache\sfcfiles.dll
[-] 2004-08-04 11:00 190976 92360854316611F6CC471612213C3D92 c:\windows\$NtServicePackUninstall$\schedsvc.dll
[-] 2008-04-14 00:12 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\ServicePackFiles\i386\schedsvc.dll
[-] 2008-04-14 00:12 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\system32\schedsvc.dll
[-] 2008-04-14 00:12 192512 0A9A7365A1CA4319AA7C1D6CD8E4EAFA c:\windows\system32\dllcache\schedsvc.dll
[-] 2004-08-04 11:00 59904 3151427DB7D87107D1C5BE58FAC53960 c:\windows\$NtServicePackUninstall$\regsvc.dll
[-] 2008-04-14 00:12 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\ServicePackFiles\i386\regsvc.dll
[-] 2008-04-14 00:12 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\system32\regsvc.dll
[-] 2008-04-14 00:12 59904 5B19B557B0C188210A56A6B699D90B8F c:\windows\system32\dllcache\regsvc.dll
[-] 2006-12-19 21:50 135168 53D9184A21C5CBF600D918E51EF3A7E5 c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
[-] 2006-12-19 21:52 134656 6815DEF9B810AEFAC107EEAF72DA6F82 c:\windows\$NtServicePackUninstall$\shsvcs.dll
[-] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\ServicePackFiles\i386\shsvcs.dll
[-] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\system32\shsvcs.dll
[-] 2008-04-14 00:12 135168 1926899BF9FFE2602B63074971700412 c:\windows\system32\dllcache\shsvcs.dll
Aallmark
08-20-2009, 07:02 PM
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-06-06 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-06-01 1059720]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
c:\documents and settings\John\Start Menu\Programs\Startup\
BounceBack Launcher.lnk - c:\program files\CMS Products\BounceBack Express\BBLauncher.exe [2008-9-25 93888]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 20:28 352256 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-25 01:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [8/7/2009 5:11 PM 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/23/2008 1:10 AM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/23/2008 1:11 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2008 2:07 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/23/2008 1:10 AM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/23/2008 1:10 AM 298776]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [6/7/2009 12:23 PM 151552]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [8/10/2004 2:50 PM 5120]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\driv ers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\driv ers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
Aallmark
08-20-2009, 07:03 PM
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Alex A.ALEXPC\Application Data\Mozilla\Firefox\Profiles\gtakyyzf.default\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-20 15:16
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2380)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\snmp.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\msiexec.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\windows\system32\msiexec.exe
.
************************************************** ************************
.
Completion time: 2009-08-20 15:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-20 19:22
Pre-Run: 209,068,032 bytes free
Post-Run: 2,032,791,552 bytes free
541 --- E O F --- 2009-08-14 16:10
Aallmark
08-20-2009, 07:04 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:10 PM, on 8/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\ swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [url]https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab[/url]
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - [url]http://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab[/url]
O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - [url]http://download.solitaire.com/download/solitaire.cab[/url]
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - [url]http://www.sibelius.com/download/software/win/ActiveXPlugin.cab[/url]
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - [url]http://www.crucial.com/controls/cpcScanner.cab[/url]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Livescribe Pulse Smartpen Service (PenCommService) - Livescribe - C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 10066 bytes
Aallmark
08-22-2009, 02:23 PM
After running those programs, nothing has changed I'm afraid.
crunchie
08-24-2009, 05:31 PM
Not looking good. Do you have your XP CD? If so, go to Start | Run and type in sfc /scannow and hit the Ok button. Insert your CD if/when requested.
After a reboot, see how things are.
Aallmark
08-24-2009, 10:26 PM
I think the XP CD really could solve my problems, seeing as how I can't get on. I get this error message, "Windows could not start because the following file is missing or corrupt: <Windows root>\system32\hal.dll." Most of the solutions say to use the XP cd to fix it, but I unfortunately don't have that.
crunchie
08-25-2009, 01:41 AM
Do you know anybody that could lend you the correct CD in order for you to carry out the repairs?
If the sfc /scannow does not fix it, you will then have to run the repair option, meaning you will still need a CD.
You will need to get the product key off your PC. If there is no sticker on the case giving the product key, there is software around that will enable you to retrieve it from your pc.
Aallmark
08-27-2009, 03:19 PM
I'll have to ask around about the CD. I can't even get into XP, so I don't think I can run the sfc/scan now, can I?
Aallmark
08-27-2009, 03:24 PM
http://tips.vlaurie.com/2006/05/23/recovery-console-for-those-without-an-xp-disk/
Do you think this will work? I tried it but it didn't work, so I don't think I did it right.
crunchie
08-27-2009, 05:33 PM
Not sure why it will not work for you. I think your best bet would be to try and borrow the CD, or purchase one.
Are you able to boot to the last known good configuration?
Aallmark
10-24-2009, 09:16 PM
O wow it's been awhile. I just wanted to post one last response about this issue for anyone who's had this problem. I unfortunately could not figure out a way to fix this before the computer completely broke down. My dad had a friend restore it for cheap, so we're lucky. Still, I found that the space on the C drive was extremely low, almost as low as before. I downloaded this software, TreeSize (http://www.jam-software.com/freeware/index.shtml) to find out what was eating my C drive and found that about 30 or more (I think more) GB of the storage space was being taken up by "dump" files from Avg. I deleted the files and I finally have more free space than used space on the drive! I want to thank everyone on this forum that helped with this problem!! I will definitely come back here if another problem appears.
Until then,
Alex
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.