metafora9
2007-12-27, 08:24
.
- If I turn it off today, then tomorrow it will start by itself. ( We did not set up this machine to do this)
-Web pages suddenly have a different type set.
- I've been switched off Printer & file sharing every day.
We tried the online scanner Kaspersky but couldn't do it apparently because my browser is Firefox. So I went ahead and just did the HijackThis. Here's the Log file. Regards...& happy holiday season.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:00 AM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (disabled by BHODemon)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (disabled by BHODemon)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: PermissionTV Download Manager Service (PermissionTVDownloadManager) - PermissionTV - C:\PROGRA~1\PERMIS~1\bin\dm.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZipm12.exe
--
End of file - 5101 bytes
little eagle
2008-01-11, 03:24
- If I turn it off today, then tomorrow it will start by itself. ( We did not set up this machine to do this)
If you have windows set to auto update the PC will turn on and connect to the net on it's own.
Please post a new hijackthis this log as it has been a few days.
metafora9
2008-01-12, 06:03
*Even when it did not show on my HijackThis log, Regedit shows that many appl. have now a number 1 at the very end. Some says "-is 1" (without "). I never have seen this before.
Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:15 PM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZipm12.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PermissionTV\bin\dmtray.exe
C:\Program Files\OOo-dev 2.4\program\soffice.exe
C:\Program Files\OOo-dev 2.4\program\soffice.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = hello world
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (disabled by BHODemon)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (disabled by BHODemon)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OOo-dev 2.4.lnk = C:\Program Files\OOo-dev 2.4\program\quickstart.exe
O4 - Startup: Russell Library Tray App.lnk = ?
O4 - Global Startup: Device Detector 2.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: PermissionTV Download Manager Service (PermissionTVDownloadManager) - PermissionTV - C:\PROGRA~1\PERMIS~1\bin\dm.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZipm12.exe
--
End of file - 8768 bytes
little eagle
2008-01-12, 13:52
I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure.
This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:
Please click on start, then run, and type msconfig and then press enter.
When the window opens click on the startup tab and make sure there are checkmarks in every entry.
Then press ok until you are out of the program. If it asks to reboot, do not reboot.
Now please create a new Hijackthis Log and post it as a reply.
metafora9
2008-01-12, 22:03
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:57:50 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZipm12.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (disabled by BHODemon)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (disabled by BHODemon)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: PermissionTV Download Manager Service (PermissionTVDownloadManager) - PermissionTV - C:\PROGRA~1\PERMIS~1\bin\dm.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZipm12.exe
--
End of file - 5988 bytes
little eagle
2008-01-13, 16:27
Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan
* You need to use IE to run this scan
* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
metafora9
2008-01-17, 05:41
Sorry it took me so long. Here's the POS Log.
Incident Status Location
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Mayo\Desktop\ComboFix.exe[nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Mayo\Desktop\ComboFix.exe[nircmd.cfexe]
:sad::sad:
little eagle
2008-01-17, 13:38
Not seeing anything that looks like malware.
Your problem doesn't seam like it is spyware related.
Download the OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe).
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Press cleanup & it will search for and delete/uninstall all the tools we have used
to fix your problems and all their backup folders and then delete itself when you next reboot.
metafora9
2008-01-20, 08:47
I wish i could feel more happy specially after all your help.
This computer isn't the same any more. It acts pretty much like a robot. I just dont know what to think. I installed a new firewall and ran Combofit. Thank you, please advice.
Just In case you ask, here's the:red:. Regard
ComboFix 08-01-11.3 - Abril 2008-01-20 1:26:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.642 [GMT -5:00]
Running from: C:\Documents and Settings\Mayo\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.
2008-01-20 00:37 . 2008-01-20 00:37 <DIR> d-------- C:\Documents and Settings\Abril\Application Data\Comodo
2008-01-19 23:27 . 2008-01-19 23:27 <DIR> d-------- C:\Program Files\COMODO
2008-01-19 23:27 . 2008-01-19 23:27 <DIR> d-------- C:\Documents and Settings\Mayo\Application Data\Comodo
2008-01-19 23:27 . 2008-01-19 23:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-01-19 23:27 . 2008-01-19 23:27 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2008-01-19 23:27 . 2008-01-19 23:27 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-01-19 23:27 . 2008-01-19 23:27 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-01-19 23:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 12:45 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-14 12:29 . 2008-01-14 12:32 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-14 12:29 . 2008-01-14 12:32 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-14 10:18 . 2008-01-14 10:18 <DIR> d-------- C:\Documents and Settings\Mayo\Application Data\Apple Computer
2008-01-14 10:17 . 2008-01-19 17:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-14 10:17 . 2008-01-14 10:17 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-12 19:58 . 2008-01-16 22:33 <DIR> d-------- C:\Documents and Settings\Abril\.housecall6.6
2008-01-10 19:08 . 2004-08-10 06:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_1145.nls
2008-01-10 19:08 . 2004-08-10 06:00 66,082 --a------ C:\WINDOWS\system32\c_1145.nls
2008-01-08 23:46 . 2008-01-09 00:54 <DIR> d-------- C:\Program Files\TaxCut01
2008-01-08 23:46 . 2001-09-13 12:43 81,176 --a------ C:\WINDOWS\system32\tt2004m_.ttf
2008-01-08 23:46 . 2001-09-13 12:43 76,852 --a------ C:\WINDOWS\system32\tt2002m_.ttf
2008-01-08 23:46 . 2001-09-13 12:43 74,984 --a------ C:\WINDOWS\system32\tt2001m_.ttf
2008-01-08 23:46 . 2001-09-13 12:43 69,668 --a------ C:\WINDOWS\system32\tt2003m_.ttf
2008-01-08 18:39 . 2008-01-08 18:39 20,103 --ah----- C:\WINDOWS\system32\mpass.GID
2007-12-20 00:07 . 2007-12-20 00:07 <DIR> d-------- C:\Documents and Settings\Abril\Application Data\FileMaker
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 05:57 --------- d-----w C:\Program Files\Visual TimeAnalyzer
2008-01-20 05:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Analyzer
2008-01-20 03:15 --------- d-----w C:\Documents and Settings\Abril\Application Data\OOo-dev2
2008-01-20 03:10 --------- d-----w C:\Program Files\DYMO Label
2008-01-20 02:08 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-19 18:35 --------- d-----w C:\Documents and Settings\Abril\Application Data\Skype
2008-01-17 03:19 --------- d-----w C:\Documents and Settings\Abril\Application Data\WholeSecurity
2008-01-14 19:32 --------- d-----w C:\Documents and Settings\Mayo\Application Data\OOo-dev2
2008-01-14 17:43 --------- d-----w C:\Program Files\7-Zip
2008-01-14 15:13 --------- d-----w C:\Documents and Settings\Mayo\Application Data\U3
2008-01-11 23:31 --------- d-----w C:\Documents and Settings\Abril\Application Data\dvdcss
2008-01-07 04:41 --------- d-----w C:\Program Files\TagBot
2007-12-22 03:45 --------- d-----w C:\Program Files\readmes
2007-12-20 03:26 --------- d-----w C:\Documents and Settings\Abril\Application Data\Leadertech
2007-12-19 04:13 --------- d-----w C:\Program Files\OOo-dev 2.4
2007-12-13 19:36 --------- d-----w C:\Program Files\SMS Software
2007-12-13 04:22 --------- d-----w C:\Documents and Settings\Mayo\Application Data\Skype
2007-12-10 06:56 8,192 --sha-w C:\Program Files\Thumbs.db
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-12-01 01:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-01 00:32 --------- d-----w C:\Documents and Settings\Abril\Application Data\FastStone
2007-12-01 00:03 --------- d-----w C:\Documents and Settings\Abril\Application Data\eBay
2007-11-29 05:31 --------- d-----w C:\Documents and Settings\Mayo\Application Data\eBay
2007-11-29 05:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\eBay
2007-11-29 05:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-29 05:28 --------- d-----w C:\Program Files\eBay
2007-11-29 05:28 --------- d-----w C:\Documents and Settings\Mayo\Application Data\InstallShield
2007-11-28 04:48 --------- d-----w C:\Program Files\Yahoo!
2007-11-28 04:48 --------- d-----w C:\Program Files\Windows Plus
2007-11-28 04:48 --------- d-----w C:\Program Files\QuickTime
2007-11-28 04:47 --------- d--h--r C:\Documents and Settings\Mayo\Application Data\yahoo!
2007-11-28 04:47 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-28 04:47 --------- d-----w C:\Program Files\Neat Image
2007-11-28 04:47 --------- d-----w C:\Program Files\Java
2007-11-28 04:47 --------- d-----w C:\Documents and Settings\Mayo\Application Data\Sonic
2007-11-28 04:47 --------- d-----w C:\Documents and Settings\Mayo\Application Data\Roxio
2007-11-28 04:47 --------- d-----w C:\Documents and Settings\Mayo\Application Data\ICAClient
2007-11-28 04:47 --------- d-----w C:\Documents and Settings\Mayo\Application Data\Creative
2007-11-28 04:47 --------- d-----w C:\Documents and Settings\Abril\Application Data\ICAClient
2007-11-27 14:43 --------- d-----w C:\Program Files\FastStone Image Viewer
2007-11-27 14:43 --------- d-----w C:\Documents and Settings\Mayo\Application Data\FastStone
2007-11-25 05:04 --------- d-----w C:\Documents and Settings\Abril\Application Data\Thunderbird
2007-11-21 01:29 --------- d-----w C:\Documents and Settings\Mayo\Application Data\Thunderbird
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-08-13 16:37 66,564,711 ----a-w C:\Program Files\ooo-dev3.cab
2007-08-13 16:37 3,320,299 ----a-w C:\Program Files\ooo-dev4.cab
2007-08-13 16:32 17,642,544 ----a-w C:\Program Files\ooo-dev2.cab
2007-08-13 16:31 18,778,240 ----a-w C:\Program Files\ooo-dev1.cab
2007-08-13 16:29 4,362,240 -c--a-w C:\Program Files\ooodev23.msi
2007-08-13 16:29 203 -c--a-w C:\Program Files\SETUP.INI
2007-08-08 22:12 319,488 ----a-w C:\Program Files\Setup.exe
2007-05-30 13:28 2,693,125 ----a-w C:\Program Files\SkyTone 3.0.0.30.exe
2007-03-21 14:37 47,269 -c--a-w C:\Program Files\mtgprefs.res
2007-03-21 13:02 8,853 ----a-w C:\Program Files\Uninst.isu
2007-03-21 13:02 31 -c--a-w C:\Program Files\mtgprefs.ini
2007-03-21 13:02 1,024 -c--a-w C:\Program Files\asifont.map
2006-04-06 17:30 46,532 -c--a-w C:\Program Files\Readme.txt
2006-04-06 16:03 649 -c--a-w C:\Program Files\layout.bin
2006-04-06 16:03 49 -c--a-w C:\Program Files\setup.lid
2006-04-06 16:03 4,911 -c--a-w C:\Program Files\_user1.hdr
2006-04-06 16:03 4,616 -c--a-w C:\Program Files\_sys1.hdr
2006-04-06 16:03 4,122 -c--a-w C:\Program Files\data1.hdr
2006-04-06 16:03 358,152 ----a-w C:\Program Files\_sys1.cab
2006-04-06 16:03 2,556,149 ----a-w C:\Program Files\Data1.cab
2006-04-06 16:03 111 -c--a-w C:\Program Files\DATA.TAG
2006-04-06 16:03 1,237 ----a-w C:\Program Files\_user1.cab
2006-03-07 02:36 2,875,443 ----a-w C:\Program Files\mtg.exe
2006-03-07 02:12 1,049,550 -c--a-w C:\Program Files\MTG.rsr
2006-03-07 00:54 66,760 -c--a-w C:\Program Files\setup.ins
2006-01-31 19:38 84,070 ----a-w C:\Program Files\setup.bmp
2005-09-10 00:55 7,155,864 -c--a-w C:\Program Files\NGhost10.msi
2004-12-09 20:47 126,073 -c--a-w C:\Program Files\Sample.mtg
2004-04-09 14:05 1,067,619 -c--a-w C:\Program Files\Sample.pict
2003-03-03 18:38 1,273,932 -c--a-w C:\Program Files\asintppc.dll
2002-07-29 15:21 188,416 ----a-w C:\Program Files\edputdyn.dll
2002-04-26 21:12 72,173 -c--a-w C:\Program Files\Asiport.rsr
2002-03-11 09:06 1,822,520 ----a-w C:\Program Files\instmsiw.exe
2002-03-11 08:45 1,708,856 ----a-w C:\Program Files\instmsia.exe
2002-02-24 17:03 212,992 ----a-w C:\Program Files\mtgQtml.dll
2002-01-24 23:01 139,264 ----a-w C:\Program Files\Instaide.dll
1999-02-23 15:46 289,647 -c--a-w C:\Program Files\_INST16.EX_
1999-02-23 15:45 296,674 -c--a-w C:\Program Files\_INST32I.EX_
1999-01-12 15:34 23,541 -c--a-w C:\Program Files\lang.dat
1998-10-27 17:08 8,704 ----a-w C:\Program Files\_ISDel.exe
1998-09-29 21:44 11,264 ----a-w C:\Program Files\_setup.dll
1998-07-27 22:41 450 -c--a-w C:\Program Files\os.dat
1998-01-13 22:59 68,264 ----a-w C:\Program Files\Wcheck.exe
1997-02-24 11:21 37,888 ----a-w C:\Program Files\EVCHK3.DLL
1997-02-24 11:21 18,944 ----a-w C:\Program Files\EVCHK32.DLL
2007-02-03 09:16 56 --sha-r C:\WINDOWS\system32\4F96860DC7.sys
2007-02-03 09:16 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2008-01-18 07:25 623856]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 04:20 122940]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-01-19 23:27 1481472]
C:\Documents and Settings\Mayo\Start Menu\Programs\Startup\
Russell Library Tray App.lnk - C:\Program Files\PermissionTV\bin\dmtray.exe [2007-08-04 03:11:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk
backup=C:\WINDOWS\pss\Device Detector 2.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2007-10-10 18:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-01-19 23:27]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-01-19 23:27]
R2 cis1284;cis1284;C:\WINDOWS\system32\drivers\cis1284.sys [1999-11-05 15:57]
R3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-05 20:44]
R3 USA19W;USA19W;C:\WINDOWS\system32\DRIVERS\usa19w2k.sys [2002-05-13 10:42]
R3 USA19w2KP;Keyspan High Speed USB Serial Adapter Port Driver;C:\WINDOWS\system32\DRIVERS\usa19w2kp.SYS [2002-04-08 13:46]
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
S3 PermissionTVDownloadManager;PermissionTV Download Manager Service;C:\PROGRA~1\PERMIS~1\bin\dm.exe [2007-08-09 11:31]
S3 VVRUSB;VVRUSB Device;C:\WINDOWS\system32\DRIVERS\VVRUSB.sys [2002-01-20 10:02]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6584e947-7313-11db-9844-806d6172696f}]
\shell\play\command - C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1
*Newly Created Service* - CMDAGENT
*Newly Created Service* - CMDGUARD
*Newly Created Service* - CMDHLP
*Newly Created Service* - INSPECT
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 01:28:37
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-20 1:29:35
ComboFix-quarantined-files.txt 2008-01-20 06:29:18
ComboFix2.txt 2008-01-20 05:20:31
ComboFix3.txt 2008-01-20 04:24:43
.
2008-01-12 02:54:35 --- E O F ---
little eagle
2008-01-20, 16:26
I'd like to see an Uninstall List.
Please open up HijackThis.
Click on Open the Misc Tools section button
Click on Open Uninstall Manager
Click on Save
A notepad document will open with a list of your installed programs.
Please copy that into your reply.
----------------------------
Download and run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)