View Full Version : Windows XP Toolbar Icons Deactivated and Disappear - no malware found
Big_John
2008-06-19, 22:03
In an attempt to sort my problem, I've downloaded and run the following:
cwshredder
rr-free-setup
spybotsd152
aaw2008
XP-ToolbarFix
SUPERAntiSpyware
and none of them have found or been able to fix my problem:
When I start Windows XP everything seems fine until I click on one of the Quick Launch Toolbar icons on the taskbar.
Then the Toolbar icons stop being clickable, and after an indeterminate period they disappear.
The place where each one was still has an alternative text available, but no icon, or potential action.
The same happens with my Desktop toolbar, which is on the lhs of my screen.
One icon clicked - I use right-click and Open, and then they don't work then they disappear.
(I use auto-hide - and when the toolbar appears it is blank).
I have run Spybot - full scan - but it fails to find any malware :-(
Here's the HJT log. What do I do next, please? I am impressed with the responses over the last few days on this forum,
but can't find a case quite like mine.
To cap it all, my wife's laptop - on the network - has a similar problem, but with no malware found either.
Will the solution for mine be the same for hers, since we probably were infected by the same email/attachment?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:58:57, on 19/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\PhoneConnectorVMC.exe
E:\vmc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FlashgetMini] C:\Program Files\FlashGet Network\Flashget\Temp\setup.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users.WINDOWS\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: UseFlashGet - C:\Program Files\FlashGet Network\Flashget\ComDlls\Bholink.htm
O8 - Extra context menu item: UseFlashGetDownloadAllLink - C:\Program Files\FlashGet Network\Flashget\ComDlls\Bhoall.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204163253078
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DB670C3-7408-40CD-BD81-BFC9CF7E71D4}: NameServer = 10.203.129.68 10.203.129.68
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFBF0A85-7597-4C8D-88EB-7795E5244572}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 10629 bytes
:sad:
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those three things, everything should go smoothly :D
I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.
----------------------------------------------------------------------------------------
If you still require help please post a fresh HJT log
Big_John
2008-06-25, 15:32
Hi Katana,
Thanks for coming back to me. Here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:29:00, on 25/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\PhoneConnectorVMC.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
E:\vmc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users.WINDOWS\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [VMCL] C:\Program Files\vodafone\vmclite\DongleEnumerator.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: UseFlashGet - C:\Program Files\FlashGet Network\Flashget\ComDlls\Bholink.htm
O8 - Extra context menu item: UseFlashGetDownloadAllLink - C:\Program Files\FlashGet Network\Flashget\ComDlls\Bhoall.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204163253078
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DB670C3-7408-40CD-BD81-BFC9CF7E71D4}: NameServer = 10.205.65.68 10.205.65.68
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFBF0A85-7597-4C8D-88EB-7795E5244572}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 10493 bytes
Hi Big_John,
There is no obvious malware showing, but let's get a couple more scans to make sure.
Note. Your Wife's machine may or may not have the same problem, so I wouldn't follow these instructions for that machine just yet.
Let's find out what is going on first.
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post the log from ComboFix when you've accomplished that.
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review: Close any open programs. Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
Installed Programs
Please could you give me a list of the programs that are installed.
Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
ComboFix Log
Kaspersky Log
Installed Programs List
About how long has this been happening ?
Did it start at about the same time on both machines ?
Did you install any programs on both machines ?
Big_John
2008-06-25, 16:06
Hi
I'm following the instructions on
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
and need to install the Windows Recovery Console without a CD.
When I go to:
http://support.microsoft.com/kb/310994
It doesn't have a download for Windows XP Professional SP3, which I have installed.
Suggestions please.
Use the instructions for SP2, the Recovery Console is the same for both versions :)
Big_John
2008-06-26, 01:33
Here we go, Katana,
I appreciate your help. I enjoyed the cups of tea :laugh:
ComboFix Log
ComboFix 08-06-16.5 - John Slee 2008-06-25 14:55:34.1 - NTFSx86
Running from: C:\Documents and Settings\John Slee.EPIPHANY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John Slee.EPIPHANY\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\Cache
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Service_Iprip
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.
2010-10-10 10:09 . 2010-10-10 10:09 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2010-10-10 10:09 . 2008-01-29 11:49 <DIR> d-------- C:\Program Files\AvRack
2010-10-10 10:08 . 2008-01-29 11:49 <DIR> d-------- C:\Program Files\Realtek AC97
2008-06-24 14:37 . 2008-06-24 14:37 <DIR> d-------- C:\Documents and Settings\John Slee.EPIPHANY\Application Data\GlarySoft
2008-06-22 11:12 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-06-22 11:12 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-06-20 10:49 . 2008-06-20 10:49 <DIR> d-------- C:\Deckard
2008-06-19 16:16 . 2008-06-19 16:16 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-19 16:16 . 2008-06-19 16:16 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-19 16:16 . 2008-06-19 16:16 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-19 16:16 . 2008-06-19 16:16 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-19 16:06 . 2008-06-19 16:17 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-19 12:44 . 2004-08-04 13:00 300,969 -----c--- C:\WINDOWS\system32\dllcache\viz.wmv
2008-06-19 12:43 . 2004-08-04 13:00 1,398 -----c--- C:\WINDOWS\system32\dllcache\taon.gif
2008-06-19 12:43 . 2004-08-04 13:00 1,380 -----c--- C:\WINDOWS\system32\dllcache\taonh.gif
2008-06-19 12:43 . 2004-08-04 13:00 1,380 -----c--- C:\WINDOWS\system32\dllcache\taoff.gif
2008-06-19 12:43 . 2004-08-04 13:00 1,367 -----c--- C:\WINDOWS\system32\dllcache\taoffh.gif
2008-06-19 12:41 . 2004-08-04 13:00 572,557 -----c--- C:\WINDOWS\system32\dllcache\rtuner.wmv
2008-06-19 12:41 . 2008-04-14 01:12 397,056 --------- C:\WINDOWS\system32\s3gnb.dll
2008-06-19 12:41 . 2008-04-14 01:12 290,304 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-06-19 12:41 . 2004-08-03 22:29 166,912 --------- C:\WINDOWS\system32\drivers\s3gnbm.sys
2008-06-19 12:41 . 2008-04-13 18:28 66,725 -----c--- C:\WINDOWS\system32\dllcache\revert.wmz
2008-06-19 12:41 . 2008-04-14 01:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2008-06-19 12:41 . 2008-04-13 19:56 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-06-19 12:41 . 2008-04-13 19:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-06-19 12:39 . 2008-04-14 01:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-06-19 12:39 . 2004-08-03 22:29 1,897,408 --------- C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-06-19 12:39 . 2004-08-04 13:00 375,519 -----c--- C:\WINDOWS\system32\dllcache\nuskin.wmv
2008-06-19 12:39 . 2004-08-03 22:41 180,360 --------- C:\WINDOWS\system32\drivers\ntmtlfax.sys
2008-06-19 12:39 . 2008-04-14 01:12 144,384 --------- C:\WINDOWS\system32\onex.dll
2008-06-19 12:38 . 2008-04-14 01:12 176,640 --------- C:\WINDOWS\system32\napstat.exe
2008-06-19 12:38 . 2004-07-17 11:35 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2008-06-19 12:38 . 2004-08-04 13:00 22,060 -----c--- C:\WINDOWS\system32\dllcache\npds.zip
2008-06-19 12:38 . 2004-08-04 13:00 403 -----c--- C:\WINDOWS\system32\dllcache\npdrmv2.zip
2008-06-19 12:36 . 2008-04-14 01:10 294,912 -----c--- C:\WINDOWS\system32\dllcache\msaud32.acm
2008-06-19 12:35 . 2008-04-14 01:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-06-19 12:35 . 2008-04-14 01:11 184,320 --------- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-06-19 12:35 . 2008-04-14 01:11 106,496 --------- C:\WINDOWS\system32\mmcfxcommon.dll
2008-06-19 12:35 . 2004-08-04 13:00 97,117 -----c--- C:\WINDOWS\system32\dllcache\mplayer2.hlp
2008-06-19 12:35 . 2008-04-14 01:12 33,792 --------- C:\WINDOWS\system32\mmcperf.exe
2008-06-19 12:35 . 2004-08-04 13:00 18,286 -----c--- C:\WINDOWS\system32\dllcache\mplayer2.inf
2008-06-19 12:35 . 2004-08-04 13:00 2,778 -----c--- C:\WINDOWS\system32\dllcache\mplogoh.gif
2008-06-19 12:35 . 2004-08-04 13:00 2,545 -----c--- C:\WINDOWS\system32\dllcache\mplogo.gif
2008-06-19 12:35 . 2004-08-04 13:00 1,885 -----c--- C:\WINDOWS\system32\dllcache\mplayer2.cnt
2008-06-19 12:34 . 2004-08-04 13:00 457,607 -----c--- C:\WINDOWS\system32\dllcache\mdlib.wmv
2008-06-19 12:34 . 2008-04-14 01:11 86,016 --------- C:\WINDOWS\system32\mdmxsdk.dll
2008-06-19 12:34 . 2004-08-03 22:41 11,868 --------- C:\WINDOWS\system32\drivers\mdmxsdk.sys
2008-06-19 12:33 . 2008-04-14 01:09 290,816 -----c--- C:\WINDOWS\system32\dllcache\l3codeca.acm
2008-06-19 12:33 . 2008-04-14 01:11 37,376 --------- C:\WINDOWS\system32\l2gpstore.dll
2008-06-19 12:32 . 2008-04-14 01:11 61,440 --------- C:\WINDOWS\system32\kmsvc.dll
2008-06-19 12:32 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdpash.dll
2008-06-19 12:32 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdnepr.dll
2008-06-19 12:32 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdiultn.dll
2008-06-19 12:32 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdbhc.dll
2008-06-19 12:30 . 2007-06-21 06:52 974 --------- C:\WINDOWS\system32\pid.inf
2008-06-19 12:29 . 2008-04-13 19:45 46,592 --------- C:\WINDOWS\system32\drivers\irbus.sys
2008-06-19 12:29 . 2008-04-13 19:43 9,728 --------- C:\WINDOWS\system32\comsdupd.exe
2008-06-19 12:27 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-06-19 12:27 . 2004-08-03 22:41 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2008-06-19 12:27 . 2004-08-03 22:41 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2008-06-19 12:27 . 2008-04-13 19:36 46,464 --------- C:\WINDOWS\system32\drivers\gagp30kx.sys
2008-06-19 12:27 . 2008-04-14 01:11 32,285 --------- C:\WINDOWS\system32\hsfcisp2.dll
2008-06-19 12:27 . 2008-04-13 19:46 25,600 --------- C:\WINDOWS\system32\drivers\hidbth.sys
2008-06-19 12:27 . 2008-04-13 19:45 19,200 --------- C:\WINDOWS\system32\drivers\hidir.sys
2008-06-19 12:25 . 2008-04-14 01:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-06-19 12:24 . 2008-04-14 01:11 233,472 --------- C:\WINDOWS\system32\azroles.dll
2008-06-19 12:24 . 2008-04-13 19:46 36,480 --------- C:\WINDOWS\system32\drivers\bthprint.sys
2008-06-19 12:24 . 2008-04-14 01:11 25,471 --------- C:\WINDOWS\system32\drivers\atv04nt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 21,183 --------- C:\WINDOWS\system32\drivers\atv01nt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 17,279 --------- C:\WINDOWS\system32\drivers\atv10nt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 15,423 --------- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 14,143 --------- C:\WINDOWS\system32\drivers\atv06nt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 11,359 --------- C:\WINDOWS\system32\drivers\atv02nt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-06-19 12:24 . 2004-08-04 13:00 999 -----c--- C:\WINDOWS\system32\dllcache\bktrh.gif
2008-06-19 12:22 . 2008-04-14 01:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll
2008-06-19 12:22 . 2008-04-14 01:11 4,255 --------- C:\WINDOWS\system32\drivers\adv01nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,967 --------- C:\WINDOWS\system32\drivers\adv02nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,775 --------- C:\WINDOWS\system32\drivers\adv11nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,711 --------- C:\WINDOWS\system32\drivers\adv09nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,647 --------- C:\WINDOWS\system32\drivers\adv07nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,615 --------- C:\WINDOWS\system32\drivers\adv05nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,135 --------- C:\WINDOWS\system32\drivers\adv08nt5.dll
2008-06-19 01:43 . 2008-06-19 01:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-19 01:43 . 2008-06-19 01:43 <DIR> d-------- C:\Documents and Settings\John Slee.EPIPHANY\Application Data\SUPERAntiSpyware.com
2008-06-19 01:43 . 2008-06-19 01:43 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-06-18 23:49 . 2008-06-18 23:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-18 12:40 . 2008-06-18 14:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-06-18 12:26 . 2008-06-19 01:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-18 11:16 . 2008-06-18 11:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-18 11:16 . 2008-06-18 12:42 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-06-18 09:54 . 2008-06-18 09:54 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-06-17 18:52 . 2005-02-03 18:58 425,984 --a------ C:\WINDOWS\system32\GeoCodec.dll
2008-06-17 18:52 . 2005-02-03 18:58 425,984 -ra------ C:\WINDOWS\GeoCodec.dll
2008-06-17 18:52 . 2001-05-04 12:05 413,760 --a------ C:\WINDOWS\mpg4c32.dll
2008-06-17 18:52 . 2005-03-08 17:02 92,105 --a------ C:\WINDOWS\Stable_7000.xml
2008-06-17 18:52 . 2003-12-02 10:03 12,045 --a------ C:\WINDOWS\buzzer.wav
2008-06-16 16:42 . 2008-06-16 16:42 <DIR> d-------- C:\Program Files\MozBackup
2008-06-13 13:46 . 2008-06-13 12:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 13:46 . 2008-05-08 15:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-13 02:51 . 2008-06-13 21:10 765 --a------ C:\camerades.inf
2008-06-13 01:21 . 2008-04-13 19:46 85,248 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2008-06-13 01:21 . 2008-04-13 19:46 19,200 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2008-06-13 01:21 . 2008-04-13 19:46 17,024 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2008-06-13 01:21 . 2008-04-14 01:12 16,384 --a------ C:\WINDOWS\system32\ipsink.ax
2008-06-13 01:21 . 2008-04-13 19:46 15,232 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2008-06-13 01:21 . 2008-04-13 19:46 11,136 --a------ C:\WINDOWS\system32\drivers\slip.sys
2008-06-13 01:21 . 2008-04-13 19:46 10,880 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2008-06-13 01:21 . 2008-04-13 19:39 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 14:06 1,893 ----a-w C:\WINDOWS\bcmwltrytmp.reg
2008-06-25 12:07 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-25 11:41 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\OpenOffice.org2
2008-06-24 23:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Google Updater
2008-06-20 12:03 --------- d-----w C:\Program Files\Java
2008-06-18 22:30 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-18 11:40 --------- d-----w C:\Program Files\Lavasoft
2008-06-18 09:39 --------- d-----w C:\Program Files\Email Marketing Pro 2008
2008-06-17 20:13 --------- d-----w C:\Program Files\QuickTime
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 00:29 --------- d-----w C:\Program Files\WebCam
2008-05-26 06:37 --------- d-----w C:\Program Files\palmOne
2008-05-25 21:16 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\AVGTOOLBAR
2008-05-25 21:07 9,388 ----a-w C:\WINDOWS\system32\drivers\iaStor.PNF
2008-05-25 21:07 7,280 ----a-w C:\WINDOWS\system32\drivers\viamraid.PNF
2008-05-25 21:07 63,240 ----a-w C:\WINDOWS\system32\drivers\Si3112r.PNF
2008-05-25 21:07 6,984 ----a-w C:\WINDOWS\system32\drivers\SiSRaid.PNF
2008-05-25 21:07 12,432 ----a-w C:\WINDOWS\system32\drivers\adpu320.PNF
2008-05-25 21:07 12,204 ----a-w C:\WINDOWS\system32\drivers\nvraid.PNF
2008-05-25 21:07 10,828 ----a-w C:\WINDOWS\system32\drivers\iaAHCI.PNF
2008-05-22 11:14 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\GeoSetter
2008-05-22 08:24 --------- d-----w C:\Program Files\GeoSetter
2008-05-18 09:35 --------- d-----w C:\Program Files\orange3
2008-05-17 19:46 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-17 19:46 75,272 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-17 19:46 --------- d-----w C:\Program Files\AVG
2008-05-17 19:46 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-05-17 10:36 --------- d-----w C:\Program Files\Water Explorer
2008-05-15 23:01 --------- d-----w C:\Program Files\Gallery Remote
2008-05-15 22:22 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\PFrank
2008-05-15 22:09 --------- d-----w C:\Program Files\PFrank
2008-05-15 10:03 --------- d--h--w C:\Program Files\Zero G Registry
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-06 15:56 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\BITS
2008-04-29 10:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 10:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 10:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-26 07:08 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Nokia Multimedia Player
2008-04-26 06:50 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-26 06:50 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-04-25 20:18 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-25 20:18 --------- d-----w C:\Program Files\Common Files\Nokia
2008-04-25 20:17 --------- d-----w C:\Program Files\Nokia
2008-04-25 20:16 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-25 20:12 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Installations
2008-04-25 15:43 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\PC Suite
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2007-04-21 14:32 80 ----a-w C:\Program Files\serial.txt
2007-01-10 15:37 278,528 ----a-w C:\Program Files\Common Files\FDEUnInstaller.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 10:08 68856]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"ISUSPM"="C:\Documents and Settings\All Users.WINDOWS\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 16:41 222128]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"VMCL"="C:\Program Files\vodafone\vmclite\DongleEnumerator.exe" [2007-08-17 14:35 131072]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"VTTimer"="VTTimer.exe" [2005-03-08 04:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-11-01 05:15 163840 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 17:22 577536 C:\WINDOWS\soundman.exe]
"SMSERIAL"="sm56hlpr.exe" [2005-11-10 05:44 557056 C:\WINDOWS\sm56hlpr.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-20 06:20 29744]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-11 10:35 185632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 01:12 110592 C:\WINDOWS\system32\bthprops.cpl]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-17 20:46 1177368]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 01:12 15360]
C:\Documents and Settings\John Slee.EPIPHANY\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [1/21/2008 3:41:28 PM 393216]
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/26/2006 8:56:55 AM 113664]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [10/26/2006 12:24:59 AM 125624]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 12:23:26 AM 282624]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [1/1/2007 12:22:03 PM 98304]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 9:15:54 AM 65588]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpg4"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg2"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg3"= C:\WINDOWS\mpg4c32.dll
"vidc.GEOX"= C:\WINDOWS\system32\GeoCodec.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-17 20:46]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-17 20:46]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-17 20:46]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-17 20:46]
R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys [2005-01-14 18:22]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-20 06:20]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2008-04-14 01:12]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2008-04-14 01:12]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2008-04-14 01:12]
S3 phil2vid;Philips USB VGA Camera;C:\WINDOWS\system32\DRIVERS\philcam2.sys [2001-08-17 14:04]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2008-04-14 01:12]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28e60155-ee01-11dc-8457-000d888eddaa}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28e60156-ee01-11dc-8457-000d888eddaa}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31a2c79a-f811-11dc-847f-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31a2c79b-f811-11dc-847f-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36fa1034-ee72-11dc-8458-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c32ba74-f006-11dc-845d-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7cf184a-f064-11dc-8461-000d888eddaa}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7cf184b-f064-11dc-8461-000d888eddaa}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d51d1d4c-f872-11dc-8481-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d51d1d4d-f872-11dc-8481-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d60bb227-f6b6-11dc-847c-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d60bb228-f6b6-11dc-847c-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d60bb229-f6b6-11dc-847c-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d60bb22a-f6b6-11dc-847c-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d60bb22d-f6b6-11dc-847c-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-06 18:28:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 15:06:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
E:\PhoneConnectorVMC.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
.
**************************************************************************
.
Completion time: 2008-06-25 15:18:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-25 14:17:58
Pre-Run: 10,200,993,792 bytes free
Post-Run: 10,202,140,672 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
366 --- E O F --- 2008-06-20 14:13:37
Kaspersky Log
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, June 25, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, June 25, 2008 16:49:01
Records in database: 882642
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 203328
Threat name: 2
Infected objects: 1
Suspicious objects: 10
Duration of the scan: 05:18:35
File name / Threat name / Threats count
C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Thunderbird\Profiles\2kkn9qs1.default\Mail\Local Folders\Inbox.sbd\shopping.sbd\Paypal Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Thunderbird\Profiles\2kkn9qs1.default\Mail\pop.nbepiphany.co-1.uk\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Thunderbird\Profiles\2kkn9qs1.default\Mail\pop.nbepiphany.co-1.uk\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 6
C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Thunderbird\Profiles\w2nw9ysm.default\Mail\Local Folders\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Orange\setup\Orange_icons.EXE Infected: not-a-virus:AdWare.Win32.BHO.ahy 1
The selected area was scanned.
Installed Programs List
Ad-Aware
Adobe Flash Player Plugin
Adobe Photoshop 6.0
Adobe Reader 8.1.2
Adobe SVG Viewer
Apple Mobile Device Support
Apple Software Update
AVG Free 8.0
Broadcom 802.11 Network Adapter
Family History Resource File Viewer 2.0
Family Tree Maker 7.5
FLV Player 2.0, build 23
Gallery Remote
GeoSetter 2.5.3
Google Desktop
Google Earth
Google Photos Screensaver
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 6
Larry's OpenOffice and StarOffice Indexer
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Malwarebytes' RogueRemover
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Professional
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Motorola SM56 Data Fax Modem
Mozilla Firefox (3.0)
Mozilla Thunderbird (2.0.0.14)
MSN
MSVC80_x86
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
MySQL Server 5.0
MySQL Tools for 5.0
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
OpenOffice.org 2.4
Palm Desktop
PC Connectivity Solution
Peter's Flexible RenAmiNg Kit (PFrank) 2.17
Picasa 2
QuickTime
RealPlayer
Realtek AC'97 Audio
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Tweak UI
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Vodafone Mobile Connect Lite
WD Diagnostics
Windows Driver Package - Nokia Modem (03/05/2008 3.7)
Windows Driver Package - Nokia Modem (03/13/2008 6.86.0.1)
Windows Driver Package - Nokia Modem (10/12/2007 3.6)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Imaging Component
Windows XP Service Pack 3
WinMerge 2.6.14.0
About how long has this been happening ?
Just over a week
Did it start at about the same time on both machines ?
Yes
Did you install any programs on both machines ?
upgraded to Mozilla Firefox 3, but I had done so on my laptop several days before the error occurred.
Happy Hunting!
Well, there is still no dramatic malware showing .....
ComboFix removed a couple of remnants, and Kaspersky showed a couple of dubious e-mails (but they were mainly in Trash and Junk folders )
C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Thunderbird\Profiles\2kkn9qs1.default\Mail\Local Folders\Inbox.sbd\shopping.sbd\Paypal Suspicious
C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Thunderbird\Profiles\2kkn9qs1.default\Mail\pop.nbepiphany.co-1.uk\Junk Suspicious
C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Thunderbird\Profiles\2kkn9qs1.default\Mail\pop.nbepiphany.co-1.uk\Trash Suspicious
C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Thunderbird\Profiles\w2nw9ysm.default\Mail\Local Folders\Trash Suspicious
I recommend you empty these folders via Thunderbird
There does however look to be some problem with the system stability
ComboFix shows these files being created
2010-10-10 10:09 . 2010-10-10 10:09 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2010-10-10 10:09 . 2008-01-29 11:49 <DIR> d-------- C:\Program Files\AvRack
2010-10-10 10:08 . 2008-01-29 11:49 <DIR> d-------- C:\Program Files\Realtek AC97
I don't know how you managed to time travel to 2010 ???!!!!!
Let's try a last couple of scans
NOTE:- It may be best if you attach these logs rather than posting them as they are quite large
Please download OTScanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe) from Bleeping Computer by OldTimer and save it to your desktop.
Double click on OTScanIt.exe to run it.
Click on Extract. Once done, you will be prompted. Click OK and click Close.
Double click on the OTScanIt folder. Double click on OTScanIt.exe to run it.
Under Drivers section, select Non-Microsoft.
Click on the Run Scan button at the top left hand corner.
OTScanIt will start running. Once done, Notepad will open. Please post the contents of this Notepad file in your next reply.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it
GetSystemInfo
Please download GetSystemInfo from HERE (ftp://ftp.kaspersky.ru/utils/getsysteminfo/GetSystemInfo.exe)
Double click GetSysteminfo.exe
It will ask you where to save the report, please save it to your desktop or somewhere that you can find it easily.
It will display it's progress on your screen, when the box disappears it has finished.
Big_John
2008-06-26, 12:52
Good Morning, Katana.
Double click on the OTScanIt folder. Double click on OTScanIt.exe to run it.
AVG Resident Shield is trapping this as a threat:
Trojan horse Generic10.ASCM
What do I do?
You will need to disable AVG while you run the scan.
OTScanIt is perfectly safe, it is just the way the tool works that gets flagged.
Big_John
2008-06-26, 14:03
Hi again
5 files attached. (There's an individual file upload limit).
I've just had a thought if these don't enlighten us. (I hope that's allowed!) ATM I haven't got the Quick Launch or Desktop Toolbars activated. When I have QL activated, it is when I (right-)click on one of them that the other icons are de-activated. Is there a before and after scan that I could run that might tell you what has been run as a right of the right-click?
Regards
John
Thoughts are always allowed :bigthumb:
Let me go through these logs and see if anything stands out.
Please be patient, as you can see there is a lot of info to look at there.
OK, there doesn't appear to be any problems present in those logs either :(
How many icons do you have in the Quick Launch bar?
What programs are they for ?
Do you have any problems when you right-click anywhere else ?
Can you re-run OTScanIt please,
Under "Additional Scans" please put a check mark next to the following items
Reg - Security Settings
Reg - Software Policy Settings
Reg - Desktop Components
now click "Run Scan" as before.
Also, please can you do the following, I doubt it is related to your problem but I would like to have a look at a file
Upload a File
Download suspicious file packer from here (http://www.safer-networking.org/files/sfp.zip)
Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop
C:\Program.exe
Go to spykiller (http://thespykiller.co.uk/index.php?board=1.0)
Please start a new thread Titled File/s for Katana and give the following information
Name:-- Your name
E-mail:-- Your E-mail (this is confidential and will not be displayed)
Subject:-- File for Katana
In the main text window please put the following link
LINK here
you may also add any comments you wish
then press attach and upload the zip/cab file that was created.
Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions.
You DO NOT need to be a member to upload, anybody can upload the files
Big_John
2008-06-28, 15:18
Sorry not to have replied before, Katana, but I didn't get an email notifying me of this post:sad:
OK, there doesn't appear to be any problems present in those logs either :(
How many icons do you have in the Quick Launch bar?
What programs are they for ?
Do you have any problems when you right-click anywhere else ?
I have 9 icons in the QL bar:
link to a folder
IE7
Mozilla Firefox
Mozilla Thunderbird
Quick Time Player
Show Desktop
Spybot S&D
Windows MediaPlayer
link to another folder
I have the same problem when I click on Desktop toolbar icons, but not icons on the desktop.
Will run the othere programs asap.
BW
John
Big_John
2008-06-28, 22:18
In the main text window please put the following link
LINK here
I think you forgot the LINK!?
I think you forgot the LINK!?
DOH !!!
http://forums.spybot.info/showthread.php?p=207324#post207324
That's what you get for rushing :oops:
Big_John
2008-06-30, 13:41
Hi again Katana
Over the last 2 or 3 days something has prevented me from accessing my web hosting CPanel and my Webmail on just this computer. (i.e. I can access them on another computer on the network. The ports are http://nbepiphany.co.uk:2082/ and http://nbepiphany.co.uk:2095/
AFAICS it's not the Windows Firewall causing the problem, because I tried switching it off, and the problem remained. AFAIK I have only installed and run the programs you told me to run and Vodafone Mobile Connect for the first time in this period. I don't know how to tell which ports are blocked - if that is the problem.
Your guidance would be appreciated :-)
TIA
John
Have you been able to connect after running combofix ?
That is the only tool we have used that may have affected anything.
OTScanIt just scans.
If you can't sort it, it may be worth trying system restore.
Big_John
2008-06-30, 16:54
If you can't sort it, it may be worth trying system restore.
Thanks for that advice, Katana.
I restored to 25th, and can access CPANEL again. Vodafone Mobile Connect Lite is working as well :laugh:
Unsurprisingly the (Quick Launch) Toolbar still exists.
Big_John
2008-06-30, 17:18
Thanks for that advice, Katana.
Unsurprisingly the (Quick Launch) Toolbar still exists.
:oops:Unsurprisingly the (Quick Launch) Toolbar problem still exists.
Please delete the copy of ComboFix that you have, and download the updated version from HERE (http://download.bleepingcomputer.com/sUBs/+/ComboFix.exe)
Please run the new ComboFix.exe using the same instructions as before
(ie disable all security programs)
Post the log, and make sure you can access CPanel.
Big_John
2008-07-01, 18:39
Please delete the copy of ComboFix that you have, and download the updated version from HERE (http://download.bleepingcomputer.com/sUBs/+/ComboFix.exe)
Please run the new ComboFix.exe using the same instructions as before
(ie disable all security programs)
Post the log, and make sure you can access CPanel.
I've run combofix and can access CPanel.
However, although I can connect to the Internet through the Vodafone USB Modem on the VCMLite dialup connection, the Vodafone Mobile Connect Lite program doesn't appear in the Systray or in the Task Manager. The software is on the USB Modem (E:). It shows me my upload/download speeds and volume of data used etc.
I won't do a system restore until you tell me to. :laugh:
ComboFix 08-06-30.2 - John Slee 2008-07-01 15:16:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.142 [GMT 1:00]
Running from: C:\Documents and Settings\John Slee.EPIPHANY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John Slee.EPIPHANY\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\Cache
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Service_Iprip
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.
2010-10-10 10:09 . 2010-10-10 10:09 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2010-10-10 10:09 . 2008-01-29 11:49 <DIR> d-------- C:\Program Files\AvRack
2010-10-10 10:08 . 2008-01-29 11:49 <DIR> d-------- C:\Program Files\Realtek AC97
2008-06-30 14:19 . 2008-06-30 14:19 <DIR> d-------- C:\Program Files\Vodafone
2008-06-28 23:57 . 2008-06-30 14:19 <DIR> d-------- C:\Program Files\Vodafone(2)
2008-06-27 11:06 . 2008-06-27 11:06 <DIR> d-------- C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Vodafone
2008-06-26 08:58 . 2008-06-30 14:22 <DIR> d-------- C:\RECYCLER(2)
2008-06-26 08:38 . 2008-06-30 14:17 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Vodafone
2008-06-24 14:37 . 2008-06-24 14:37 <DIR> d-------- C:\Documents and Settings\John Slee.EPIPHANY\Application Data\GlarySoft
2008-06-22 11:12 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-06-22 11:12 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-06-20 10:49 . 2008-06-20 10:49 <DIR> d-------- C:\Deckard
2008-06-19 16:16 . 2008-06-19 16:16 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-19 16:16 . 2008-06-19 16:16 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-19 16:16 . 2008-06-19 16:16 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-19 16:16 . 2008-06-19 16:16 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-19 16:06 . 2008-06-19 16:17 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-19 12:44 . 2004-08-04 13:00 300,969 -----c--- C:\WINDOWS\system32\dllcache\viz.wmv
2008-06-19 12:43 . 2004-08-04 13:00 1,398 -----c--- C:\WINDOWS\system32\dllcache\taon.gif
2008-06-19 12:43 . 2004-08-04 13:00 1,380 -----c--- C:\WINDOWS\system32\dllcache\taonh.gif
2008-06-19 12:43 . 2004-08-04 13:00 1,380 -----c--- C:\WINDOWS\system32\dllcache\taoff.gif
2008-06-19 12:43 . 2004-08-04 13:00 1,367 -----c--- C:\WINDOWS\system32\dllcache\taoffh.gif
2008-06-19 12:41 . 2004-08-04 13:00 572,557 -----c--- C:\WINDOWS\system32\dllcache\rtuner.wmv
2008-06-19 12:41 . 2008-04-14 01:12 397,056 --------- C:\WINDOWS\system32\s3gnb.dll
2008-06-19 12:41 . 2008-04-14 01:12 290,304 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-06-19 12:41 . 2004-08-03 22:29 166,912 --------- C:\WINDOWS\system32\drivers\s3gnbm.sys
2008-06-19 12:41 . 2008-04-13 18:28 66,725 -----c--- C:\WINDOWS\system32\dllcache\revert.wmz
2008-06-19 12:41 . 2008-04-14 01:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2008-06-19 12:41 . 2008-04-13 19:56 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-06-19 12:41 . 2008-04-13 19:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-06-19 12:39 . 2008-04-14 01:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-06-19 12:39 . 2004-08-03 22:29 1,897,408 --------- C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-06-19 12:39 . 2004-08-04 13:00 375,519 -----c--- C:\WINDOWS\system32\dllcache\nuskin.wmv
2008-06-19 12:39 . 2004-08-03 22:41 180,360 --------- C:\WINDOWS\system32\drivers\ntmtlfax.sys
2008-06-19 12:39 . 2008-04-14 01:12 144,384 --------- C:\WINDOWS\system32\onex.dll
2008-06-19 12:38 . 2008-04-14 01:12 176,640 --------- C:\WINDOWS\system32\napstat.exe
2008-06-19 12:38 . 2004-07-17 11:35 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2008-06-19 12:38 . 2004-08-04 13:00 22,060 -----c--- C:\WINDOWS\system32\dllcache\npds.zip
2008-06-19 12:38 . 2004-08-04 13:00 403 -----c--- C:\WINDOWS\system32\dllcache\npdrmv2.zip
2008-06-19 12:36 . 2008-04-14 01:10 294,912 -----c--- C:\WINDOWS\system32\dllcache\msaud32.acm
2008-06-19 12:35 . 2008-04-14 01:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-06-19 12:35 . 2008-04-14 01:11 184,320 --------- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-06-19 12:35 . 2008-04-14 01:11 106,496 --------- C:\WINDOWS\system32\mmcfxcommon.dll
2008-06-19 12:35 . 2004-08-04 13:00 97,117 -----c--- C:\WINDOWS\system32\dllcache\mplayer2.hlp
2008-06-19 12:35 . 2008-04-14 01:12 33,792 --------- C:\WINDOWS\system32\mmcperf.exe
2008-06-19 12:35 . 2004-08-04 13:00 18,286 -----c--- C:\WINDOWS\system32\dllcache\mplayer2.inf
2008-06-19 12:35 . 2004-08-04 13:00 2,778 -----c--- C:\WINDOWS\system32\dllcache\mplogoh.gif
2008-06-19 12:35 . 2004-08-04 13:00 2,545 -----c--- C:\WINDOWS\system32\dllcache\mplogo.gif
2008-06-19 12:35 . 2004-08-04 13:00 1,885 -----c--- C:\WINDOWS\system32\dllcache\mplayer2.cnt
2008-06-19 12:34 . 2004-08-04 13:00 457,607 -----c--- C:\WINDOWS\system32\dllcache\mdlib.wmv
2008-06-19 12:34 . 2008-04-14 01:11 86,016 --------- C:\WINDOWS\system32\mdmxsdk.dll
2008-06-19 12:34 . 2004-08-03 22:41 11,868 --------- C:\WINDOWS\system32\drivers\mdmxsdk.sys
2008-06-19 12:33 . 2008-04-14 01:09 290,816 -----c--- C:\WINDOWS\system32\dllcache\l3codeca.acm
2008-06-19 12:33 . 2008-04-14 01:11 37,376 --------- C:\WINDOWS\system32\l2gpstore.dll
2008-06-19 12:32 . 2008-04-14 01:11 61,440 --------- C:\WINDOWS\system32\kmsvc.dll
2008-06-19 12:32 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdpash.dll
2008-06-19 12:32 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdnepr.dll
2008-06-19 12:32 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdiultn.dll
2008-06-19 12:32 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdbhc.dll
2008-06-19 12:30 . 2007-06-21 06:52 974 --------- C:\WINDOWS\system32\pid.inf
2008-06-19 12:29 . 2008-04-13 19:45 46,592 --------- C:\WINDOWS\system32\drivers\irbus.sys
2008-06-19 12:29 . 2008-04-13 19:43 9,728 --------- C:\WINDOWS\system32\comsdupd.exe
2008-06-19 12:27 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-06-19 12:27 . 2004-08-03 22:41 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2008-06-19 12:27 . 2004-08-03 22:41 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2008-06-19 12:27 . 2008-04-13 19:36 46,464 --------- C:\WINDOWS\system32\drivers\gagp30kx.sys
2008-06-19 12:27 . 2008-04-14 01:11 32,285 --------- C:\WINDOWS\system32\hsfcisp2.dll
2008-06-19 12:27 . 2008-04-13 19:46 25,600 --------- C:\WINDOWS\system32\drivers\hidbth.sys
2008-06-19 12:27 . 2008-04-13 19:45 19,200 --------- C:\WINDOWS\system32\drivers\hidir.sys
2008-06-19 12:25 . 2008-04-14 01:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-06-19 12:24 . 2008-04-14 01:11 233,472 --------- C:\WINDOWS\system32\azroles.dll
2008-06-19 12:24 . 2008-04-13 19:46 36,480 --------- C:\WINDOWS\system32\drivers\bthprint.sys
2008-06-19 12:24 . 2008-04-14 01:11 25,471 --------- C:\WINDOWS\system32\drivers\atv04nt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 21,183 --------- C:\WINDOWS\system32\drivers\atv01nt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 17,279 --------- C:\WINDOWS\system32\drivers\atv10nt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 15,423 --------- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 14,143 --------- C:\WINDOWS\system32\drivers\atv06nt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 11,359 --------- C:\WINDOWS\system32\drivers\atv02nt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-06-19 12:24 . 2004-08-04 13:00 999 -----c--- C:\WINDOWS\system32\dllcache\bktrh.gif
2008-06-19 12:22 . 2008-04-14 01:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll
2008-06-19 12:22 . 2008-04-14 01:11 4,255 --------- C:\WINDOWS\system32\drivers\adv01nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,967 --------- C:\WINDOWS\system32\drivers\adv02nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,775 --------- C:\WINDOWS\system32\drivers\adv11nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,711 --------- C:\WINDOWS\system32\drivers\adv09nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,647 --------- C:\WINDOWS\system32\drivers\adv07nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,615 --------- C:\WINDOWS\system32\drivers\adv05nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,135 --------- C:\WINDOWS\system32\drivers\adv08nt5.dll
2008-06-19 01:43 . 2008-06-19 01:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-19 01:43 . 2008-06-19 01:43 <DIR> d-------- C:\Documents and Settings\John Slee.EPIPHANY\Application Data\SUPERAntiSpyware.com
2008-06-19 01:43 . 2008-06-19 01:43 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-06-18 23:49 . 2008-06-18 23:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-18 12:40 . 2008-06-18 14:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-06-18 12:26 . 2008-06-19 01:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-18 11:16 . 2008-06-30 14:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-18 11:16 . 2008-06-30 14:19 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-06-18 09:54 . 2008-06-18 09:54 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-06-17 18:52 . 2005-02-03 18:58 425,984 --a------ C:\WINDOWS\system32\GeoCodec.dll
2008-06-17 18:52 . 2005-02-03 18:58 425,984 -ra------ C:\WINDOWS\GeoCodec.dll
2008-06-17 18:52 . 2001-05-04 12:05 413,760 --a------ C:\WINDOWS\mpg4c32.dll
2008-06-17 18:52 . 2005-03-08 17:02 92,105 --a------ C:\WINDOWS\Stable_7000.xml
2008-06-17 18:52 . 2003-12-02 10:03 12,045 --a------ C:\WINDOWS\buzzer.wav
2008-06-16 16:42 . 2008-06-16 16:42 <DIR> d-------- C:\Program Files\MozBackup
2008-06-13 13:46 . 2008-06-13 12:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 13:46 . 2008-05-08 15:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-13 02:51 . 2008-06-13 21:10 765 --a------ C:\camerades.inf
2008-06-13 01:21 . 2008-04-13 19:46 85,248 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2008-06-13 01:21 . 2008-04-13 19:46 19,200 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2008-06-13 01:21 . 2008-04-13 19:46 17,024 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2008-06-13 01:21 . 2008-04-14 01:12 16,384 --a------ C:\WINDOWS\system32\ipsink.ax
2008-06-13 01:21 . 2008-04-13 19:46 15,232 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2008-06-13 01:21 . 2008-04-13 19:46 11,136 --a------ C:\WINDOWS\system32\drivers\slip.sys
2008-06-13 01:21 . 2008-04-13 19:46 10,880 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2008-06-13 01:21 . 2008-04-13 19:39 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 14:27 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\OpenOffice.org2
2008-07-01 14:25 1,893 ----a-w C:\WINDOWS\bcmwltrytmp.reg
2008-07-01 13:49 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Google Updater
2008-07-01 10:29 --------- d-----w C:\Program Files\Google
2008-07-01 07:29 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-30 14:12 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-06-26 07:38 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-20 12:03 --------- d-----w C:\Program Files\Java
2008-06-18 22:30 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-18 11:40 --------- d-----w C:\Program Files\Lavasoft
2008-06-18 09:39 --------- d-----w C:\Program Files\Email Marketing Pro 2008
2008-06-17 20:13 --------- d-----w C:\Program Files\QuickTime
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 00:29 --------- d-----w C:\Program Files\WebCam
2008-05-26 06:37 --------- d-----w C:\Program Files\palmOne
2008-05-25 21:16 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\AVGTOOLBAR
2008-05-25 21:07 9,388 ----a-w C:\WINDOWS\system32\drivers\iaStor.PNF
2008-05-25 21:07 7,280 ----a-w C:\WINDOWS\system32\drivers\viamraid.PNF
2008-05-25 21:07 63,240 ----a-w C:\WINDOWS\system32\drivers\Si3112r.PNF
2008-05-25 21:07 6,984 ----a-w C:\WINDOWS\system32\drivers\SiSRaid.PNF
2008-05-25 21:07 12,432 ----a-w C:\WINDOWS\system32\drivers\adpu320.PNF
2008-05-25 21:07 12,204 ----a-w C:\WINDOWS\system32\drivers\nvraid.PNF
2008-05-25 21:07 10,828 ----a-w C:\WINDOWS\system32\drivers\iaAHCI.PNF
2008-05-22 11:14 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\GeoSetter
2008-05-22 08:24 --------- d-----w C:\Program Files\GeoSetter
2008-05-18 09:35 --------- d-----w C:\Program Files\orange3
2008-05-17 19:46 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-17 19:46 75,272 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-17 19:46 --------- d-----w C:\Program Files\AVG
2008-05-17 19:46 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-05-17 10:36 --------- d-----w C:\Program Files\Water Explorer
2008-05-15 23:01 --------- d-----w C:\Program Files\Gallery Remote
2008-05-15 22:22 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\PFrank
2008-05-15 22:09 --------- d-----w C:\Program Files\PFrank
2008-05-15 10:03 --------- d--h--w C:\Program Files\Zero G Registry
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-06 15:56 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\BITS
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ------w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2007-04-21 14:32 80 ----a-w C:\Program Files\serial.txt
2007-01-10 15:37 278,528 ----a-w C:\Program Files\Common Files\FDEUnInstaller.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 10:08 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"ISUSPM"="C:\Documents and Settings\All Users.WINDOWS\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 16:41 222128]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]
"VMCL"="C:\Program Files\vodafone\vmclite\DongleEnumerator.exe" [2007-08-17 14:35 131072]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-20 06:20 29744]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-11 10:35 185632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-17 20:46 1177368]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"VTTimer"="VTTimer.exe" [2005-03-08 04:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-11-01 05:15 163840 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 17:22 577536 C:\WINDOWS\soundman.exe]
"SMSERIAL"="sm56hlpr.exe" [2005-11-10 05:44 557056 C:\WINDOWS\sm56hlpr.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 01:12 15360]
C:\Documents and Settings\John Slee.EPIPHANY\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [1/21/2008 3:41:28 PM 393216]
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/26/2006 8:56:55 AM 113664]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [10/26/2006 12:24:59 AM 125624]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 12:23:26 AM 282624]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [1/1/2007 12:22:03 PM 98304]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 9:15:54 AM 65588]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpg4"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg2"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg3"= C:\WINDOWS\mpg4c32.dll
"vidc.GEOX"= C:\WINDOWS\system32\GeoCodec.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-17 20:46]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-17 20:46]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-17 20:46]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-17 20:46]
R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys [2005-01-14 18:22]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-20 06:20]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2008-04-14 01:12]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2008-04-14 01:12]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2008-04-14 01:12]
S3 phil2vid;Philips USB VGA Camera;C:\WINDOWS\system32\DRIVERS\philcam2.sys [2001-08-17 14:04]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2008-04-14 01:12]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28e60155-ee01-11dc-8457-000d888eddaa}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28e60156-ee01-11dc-8457-000d888eddaa}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31a2c79a-f811-11dc-847f-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31a2c79b-f811-11dc-847f-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36fa1034-ee72-11dc-8458-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{524a47c0-46a9-11dd-854a-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c32ba74-f006-11dc-845d-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7cf184a-f064-11dc-8461-000d888eddaa}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7cf184b-f064-11dc-8461-000d888eddaa}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d51d1d4c-f872-11dc-8481-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d51d1d4d-f872-11dc-8481-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d60bb227-f6b6-11dc-847c-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d60bb228-f6b6-11dc-847c-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d60bb229-f6b6-11dc-847c-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d60bb22d-f6b6-11dc-847c-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d60bb22e-f6b6-11dc-847c-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-27 18:28:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Picasa Media Detector - C:\Program Files\Picasa2\PicasaMediaDetector
HKLM-Run-Broadcom Wireless Manager UI - C:\WINDOWS\system32\WLTRAY
HKLM-Run-BluetoothAuthenticationAgent - bthprops.cpl,,BluetoothAuthenticationAgent
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 15:26:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\wscntfy.exe
E:\PhoneConnectorVMC.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-07-01 15:36:11 - machine was rebooted [John Slee]
ComboFix-quarantined-files.txt 2008-07-01 14:36:01
ComboFix2.txt 2008-06-25 14:18:09
Pre-Run: 8,872,251,392 bytes free
Post-Run: 8,876,593,152 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
371 --- E O F --- 2008-06-20 14:13:37
Please be patient, I am just consulting with the author of ComboFix on the best course of action now.
(he's forgotten more than I will ever know :laugh:)
It may be best to reinstall the drivers/software for the modem rather than doing a system restore.
The items that ComboFix removed are generally related to malware so if the modem is using those service names then we need to know about it.
As for your original problem .....
this tool has been suggested for a try
http://www.kellys-korner-xp.com/taskbarplus!.htm
let me know how you get on.
Big_John
2008-07-02, 11:32
It may be best to reinstall the drivers/software for the modem rather than doing a system restore.
The items that ComboFix removed are generally related to malware so if the modem is using those service names then we need to know about it.
You just beat me to it this morning! Good morning!
When Windows starts up for the first time it is a common occurrence that not all the SysTray icons are shown. Particularly I notice the Volume and Power options are sometimes missing. This morning was a case in point, so I tried logging off and logging back in, and they reappeared. (A restart can have the same effect.
However, more relevant to the VCMLite problem was the fact that C:\Program Files\Vodafone\VMCLiteDongleEnumerator.exe appeared in a command prompt window, and "Vodafone Mobile Connect Lite" appeared in the SysTray, and PhoneConnectorVMC.exe was shown running in the Task Manager.
So what ComboFix may have done is to prevent the VMCLiteDongleEnumerator being run on initial Startup.
Does that indicate anything fixable?
As for your original problem .....
this tool has been suggested for a try
http://www.kellys-korner-xp.com/taskbarplus!.htm
I had tried this before, but not rigourously, so I have re-downloaded it, and will try it now.
So what ComboFix may have done is to prevent the VMCLiteDongleEnumerator being run on initial Startup.
Does that indicate anything fixable?
It most certainly did, and yes it is fixable by doing the following :)
Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it fix.bat Please save it on your desktop.
@echo off
cd /d %systemdrive%\QooBox\Quarantine\Registry_backups
regedit /s HKLM-Run-BluetoothAuthenticationAgent.reg.dat
regedit /s HKLM-Run-Broadcom Wireless Manager UI.reg.dat
del /q %0
exit
Double click on fix.bat
I think it is fairly safe to say there is no malware that would be causing your problem.
It looks like it is either an OS problem or software conflict.
Unfortunately you are now outside my area of knowledge, so I'm going to have to recommend that you visit one of the tech forums for assistance.
http://www.techsupportforum.com/
http://www.bleepingcomputer.com/forums/
http://forums.whatthetech.com/forums.html
All the forums above have good support for software/OS problems, and I'm sure they will be able to help.
When you start your thread, explain what the problem is and let them know that you have been checked for malware.
Give them the following link, so they can see the logs if needed
http://forums.spybot.info/showpost.php?p=203809&postcount=1
Let me know when you have done the above batch file, and then we can do a bit of a clean up and remove the tools we have used.
Big_John
2008-07-02, 14:42
Let me know when you have done the above batch file, and then we can do a bit of a clean up and remove the tools we have used.
Nearly there, but there's still one outstanding problem with VMCLite. Al goes well if the modem is plugged in on startup.
However, PhoneConnectorVMC.exe is not activated when the Vodafone USB modem is plugged in during a Windows session. It was, before Combofix. Hope it's as easy as last time.
On the original problem, Kellys Taskbar Repair Tool, choosing the Taskbar/"Toolbars greyed out or missing" option restores the toolbar icons, and restores their left click function by restarting the Windows Shell. So thank you very much for that.
However (again!), Right-clicking any of the toolbar icons still de-activates the icons, so I'll try one of the other forums to try to get that one sorted.
Congratulations your logs look clean :D
Let's see if I can help you keep it that way
First lets tidy up :D
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
You can also delete any logs we have produced, and empty your Recycle bin.
The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details
AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/content/view/15/33/) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections
Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available
Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
Big_John
2008-07-07, 21:23
Congratulations your logs look clean :D
Let's see if I can help you keep it that way
First lets tidy up :D
Have removed ComboFix as suggested.
I have one outstanding problem, though, which has a risen as a result of the changes it made, I presume.
When I disconnect from the Net using VMCLIte, and then re-connect, the Internet Connect Sharing is disabled, and I have to run the Network Wizard on teh Host Computer to reset it all. Any ideas why? Please provide an easy solution as it is tedious having to do this.
Thks
John
Hi Big_Hohn :)
I have spoken to the author of ComboFix and whilst he can't be positive that CF didn't do this (he has never used this software) he has doubts that it did.
When Windows starts up for the first time it is a common occurrence that not all the SysTray icons are shown. Particularly I notice the Volume and Power options are sometimes missing. This morning was a case in point, so I tried logging off and logging back in, and they reappeared. (A restart can have the same effect.
This post you made shows that there are problems with some of your programs starting, possibly due to program conflicts or OS instability.
The fact that you still have the toolbar problem, shows that something is still not right.
I recommend that you ask about this (Internet Connect Sharing is disabled) in the tech thread when you resolve the toolbar issue.
Sorry I couldn't be more help, but this is a software/os compatibility/stability issue and that is outside my area. :sad:
A quick question for you
What is E:\ ?
Is it a CD/DVD drive, or your USB dongle ?
Big_John
2008-07-08, 15:52
E:\ is the Vodafone USB Dongle
WBW
John
Big_John
2008-07-08, 15:58
Hi Big_Hohn :)
This post you made shows that there are problems with some of your programs starting, possibly due to program conflicts or OS instability.
Actually this is known Windows XP problem - I know several people with the same symptoms.
I have still had no help from bleepingcomputer - I know they are busy, but I wish someone would reply. The only reply I had was "post on the 'I haven't had a reply for more than 5 days' forum", which hasn't evoked any more help :-(
That's because your thead in the Windows XP Home and Professional room has been closed due to you having an open HJT thread.
You need to post to the HJT thread asking for it to be closed, and then start a new thread in the Windows room.
Hi Big John :)
Please do the following and see if the sharing problem is solved
Backup the Registry
Download ERUNT (http://www.softpedia.com/get/Tweak/Registry-Tweak/Erunt-g.shtml) to your desktop
Double-click on the file to install the program
Untick the NTREGOPT desktop shortcut option
Click No when you get the option to run Erunt at Windows startup.
During the installation, tick Launch Erunt
Accept the defaults for running a backup
Erunt will then backup your registry
Create A Registry File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it Regfix.reg Please save it on your desktop.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000095
"NoDriveAutoRun"=dword:03ffffef
Make sure there are NO blank lines before REGEDIT4 and ONE blank line at the end/bottom
Double click on Regfix.reg and click Yes at the prompt
Still with us Big_John? :)
Big_John
2008-07-17, 21:09
Still with us Big_John? :)
Yes! Sorry, didn't get notification of Katana's last message (or it went into Junk). Will try following instructions asap.
Thanks
Hi Big_John,
Please send katana a PM (private message) if you need to continue.
For now this topic has been closed.