View Full Version : Can you guys/gals help? Had Smitfraud, is it still there?
rcbroncos
2008-09-10, 06:02
Hi Guys/Gals,
Can you help me out here. Awhile back (about 6 months ago) I got the Smitfraud trojan. I detected it through Spybot (1.5.2) and tried things until PC Doctor seemed to get rid of it. It still doesn't show up when I run Spybot, but some other things are noticable (like my antivirus "locks up" on the file "xpsp3res.dll" every time and the overall system is much slower than usual). My fear is that there is some other remnant of Smitfraud that is not being detected.
Can you guide me through how to analyze this? Thanks!
Ron
__RiP_ChAiN_
2008-09-13, 10:15
Hello rcbroncos,
http://www.trendsecure.com/portal/en-US/_images/tools/hjt_logo.gifClick here (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
rcbroncos
2008-09-13, 23:59
Gang,
Thanks for you reply. As directed, I've copied the results of HiJackThis to this message below.
Ron
=========================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:25 PM, on 9/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Matrox X.tools\DSOutputEnabler.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Matrox X.tools\System\digisc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4FCB2794-DAC4-4A04-9F78-2702CDE44BC8} - (no file)
O2 - BHO: (no name) - {51B9EC5D-2C1A-42BC-AC44-DF4509ACFDB6} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {E5738F13-507D-4947-B0A5-E2FDEC4A945B} - (no file)
O2 - BHO: (no name) - {EEC73EA5-1367-49D1-93F4-CA1D8C22E9F9} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [DSOutputEnabler] "C:\Program Files\Matrox X.tools\DSOutputEnabler.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot
O4 - HKUS\S-1-5-21-3675345140-572454927-963639892-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3675345140-572454927-963639892-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-3675345140-572454927-963639892-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LogMeInRemoteUser')
O4 - HKUS\S-1-5-21-3675345140-572454927-963639892-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: cbXNEXRi - C:\WINDOWS\
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DigiCtrl - Matrox Electronic Systems - C:\Program Files\Matrox X.tools\System\digisc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)
--
End of file - 12734 bytes
__RiP_ChAiN_
2008-09-14, 22:32
Hello rcbroncos,
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
rcbroncos
2008-09-15, 02:42
Thanks, so much for your help and guidance!
Below is the results of the Malwarebytes log file.
Did this get rid of everything?
Ron
=====================================================
Malwarebytes' Anti-Malware 1.28
Database version: 1152
Windows 5.1.2600 Service Pack 2
9/14/2008 6:39:57 PM
mbam-log-2008-09-14 (18-39-57).txt
Scan type: Quick Scan
Objects scanned: 56178
Time elapsed: 4 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{eec73ea5-1367-49d1-93f4-ca1d8c22e9f9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\winzip81.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
===================================================
__RiP_ChAiN_
2008-09-15, 06:53
Hello rcbroncos,
We will continue the process with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
rcbroncos
2008-09-16, 05:45
Rip Chain,
Thanks, again for your help. Below are the log files from "Combofix" and a rerun of HijackThis...
=========================================================
(Combofix log)
ComboFix 08-09-15.02 - Ron Chandler 2008-09-15 21:20:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.584 [GMT -6:00]
Running from: C:\Documents and Settings\Ron Chandler\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ron Chandler\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\SYSTEM32\aJSvCccf.ini
C:\WINDOWS\SYSTEM32\aJSvCccf.ini2
C:\WINDOWS\SYSTEM32\BIPVvyay.ini
C:\WINDOWS\SYSTEM32\BIPVvyay.ini2
C:\WINDOWS\system32\mprrlxnb.ini
G:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-08-16 to 2008-09-16 )))))))))))))))))))))))))))))))
.
2008-09-15 20:16 . 2008-09-15 20:16 59,477,232 --a------ C:\WINDOWS\SYSTEM32\SNAGIT7
2008-09-14 16:11 . 2008-09-14 16:13 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-14 16:11 . 2008-09-14 16:11 <DIR> d-------- C:\Documents and Settings\Ron Chandler\Application Data\Malwarebytes
2008-09-14 16:11 . 2008-09-14 16:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-14 16:11 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-14 16:11 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-13 15:54 . 2008-09-13 15:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-09 20:21 . 2008-09-09 20:35 <DIR> d-------- C:\Program Files\Security Task Manager
2008-09-09 20:21 . 2008-09-09 20:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-09-06 20:26 . 2008-09-07 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-30 11:44 . 2008-08-30 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-30 11:43 . 2008-08-30 11:36 160,792 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pctfw2.sys
2008-08-30 11:36 . 2008-08-30 11:41 <DIR> d-------- C:\Program Files\Common Files\PC Tools
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 03:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-16 01:17 --------- d-----w C:\Program Files\Spyware Doctor
2008-09-12 00:26 --------- d-----w C:\Program Files\MalwareRemovalBot
2008-09-12 00:26 --------- d-----w C:\Documents and Settings\Ron Chandler\Application Data\MalwareRemovalBot
2008-09-10 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-06 20:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-30 18:28 --------- d-----w C:\Program Files\Norton AntiVirus
2008-08-30 18:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-30 18:28 --------- d-----w C:\Documents and Settings\Ron Chandler\Application Data\Symantec
2008-08-30 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-30 17:59 --------- d-----w C:\Documents and Settings\Nancy Chandler\Application Data\Symantec
2008-08-30 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 06:29 --------- d-----w C:\Program Files\LogMeIn
2007-09-03 02:50 82,224 ------w C:\Documents and Settings\Ron Chandler\Application Data\GDIPFONTCACHEV1.DAT
2004-03-26 22:17 700 ---h--w C:\Documents and Settings\Ron Chandler\hpothb07.dat
2003-08-27 20:19 36,963 ------r C:\Program Files\Common Files\SM1updtr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\LaunchPd.exe" [2002-05-02 98304]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"MalwareRemovalBot"="C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe" [2008-06-26 19162360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TCASUTIEXE"="TCAUDIAG -off" [X]
"DSOutputEnabler"="C:\Program Files\Matrox X.tools\DSOutputEnabler.exe" [2003-10-22 61549]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [2002-04-28 146432]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 94208]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 28672]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-10 196608]
"DellTouch"="C:\WINDOWS\MMKeybd.exe" [2001-09-05 163840]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"AHQInit"="C:\Program Files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-11-02 98304]
"HydraVisionDesktopManager"="C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe" [2002-06-07 262144]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2007-08-20 2483496]
"ATIPTA"="atiptaxx.exe" [2002-06-21 Panel\atiptaxx.exe]
"CTHelper"="CTHELPER.EXE" [2003-06-19 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-06-19 C:\WINDOWS\SYSTEM32\CTASIO.DLL]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\SYSTEM32\bthprops.cpl]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2006-02-23 67264]
C:\Documents and Settings\Ron Chandler\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2003-07-13 225280]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-01-03 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
SnagIt 7.lnk - C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe [2004-01-29 3325952]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 12:32 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"aux1"= ctwdm32.dll
"VIDC.PIM2"= RALCodec.dll
"vidc.dvsd"= digivcap.dll
"MSVIDEO"= MtxVidCap.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter]
--------- 2003-06-12 08:47 135168 C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
--------- 2002-12-03 17:06 45056 C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BthServ"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\mmc.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
R1 CINEMSUP;Cinemsup;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2002-07-19 6656]
R1 MemAlloc;MemAlloc;C:\WINDOWS\system32\DRIVERS\memalloc.sys [2002-01-29 5543]
R1 pctfw2;pctfw2;C:\WINDOWS\SYSTEM32\DRIVERS\pctfw2.sys [2008-08-30 160792]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
R2 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe [2001-08-06 28672]
R2 tcaicchg;tcaicchg;C:\WINDOWS\System32\tcaicchg.sys [2000-06-06 21233]
R2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys [2001-09-04 19534]
R3 dgcodec;dgcodec;C:\WINDOWS\system32\Drivers\dgcodec.sys [2003-10-22 3239335]
R3 dgvideo;dgvideo;C:\WINDOWS\system32\Drivers\dgvideo.sys [2003-10-22 1246503]
R3 digim2ba;digim2ba;C:\WINDOWS\system32\Drivers\digim2ba.sys [2003-10-22 7908]
R3 DigiPnp;DigiPnp;C:\WINDOWS\system32\Drivers\DigiPnp.sys [2003-10-22 7266]
R3 digisclk;digisclk;C:\WINDOWS\system32\Drivers\digisclk.sys [2003-10-22 9348]
R3 digismem;digismem;C:\WINDOWS\system32\Drivers\digismem.sys [2003-10-22 28868]
R3 digisnif;digisnif;C:\WINDOWS\system32\Drivers\digisnif.sys [2003-10-22 74244]
R3 flex3dio;flex3dio;C:\WINDOWS\system32\Drivers\flex3dio.sys [2003-10-22 72644]
R3 Msikbd2k;DellTouch;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2000-10-03 6942]
R3 mvkG550rt;mvkG550rt;C:\WINDOWS\system32\DRIVERS\mvkG550rt.sys [2003-10-22 2989319]
R3 MvkMiniVFX;mvkMiniVFX;C:\WINDOWS\system32\Drivers\MvkMiniVFX.sys [2003-10-22 35147]
R3 mvkRTXio;mvkRTXio;C:\WINDOWS\system32\DRIVERS\mvkRtXIo.sys [2003-10-22 64359]
R3 mvkVideoBus;mvkVideoBus;C:\WINDOWS\system32\DRIVERS\mvkMinicuda.sys [2003-10-22 48973]
S1 LStone;Pinnacle Systems Studio AV/DV Overlay;C:\WINDOWS\system32\DRIVERS\lstone2k.sys [ ]
S3 RioDrv;Rio600 driver;C:\WINDOWS\system32\Drivers\RioDrv.sys [2001-08-18 12032]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-01-08 15576]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 38144]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{4FCB2794-DAC4-4A04-9F78-2702CDE44BC8} - (no file)
BHO-{51B9EC5D-2C1A-42BC-AC44-DF4509ACFDB6} - (no file)
BHO-{E5738F13-507D-4947-B0A5-E2FDEC4A945B} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
Notify-cbXNEXRi - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.foxnews.com/
R0 -: HKLM-Main,Start Page = hxxp://www.dellnet.com
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 -: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 -: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} - hxxp://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
C:\WINDOWS\Downloaded Program Files\master.inf
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-15 21:26:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\devldr32.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\Program Files\Matrox X.tools\System\digisc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\searchindexer.exe
.
**************************************************************************
.
Completion time: 2008-09-15 21:36:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-16 03:36:35
Pre-Run: 7,326,789,632 bytes free
Post-Run: 7,624,634,368 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
216 --- E O F --- 2008-09-10 04:33:11
======================================================
(HiJackThis Log)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:06 PM, on 9/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Matrox X.tools\DSOutputEnabler.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Matrox X.tools\System\digisc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [DSOutputEnabler] "C:\Program Files\Matrox X.tools\DSOutputEnabler.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DigiCtrl - Matrox Electronic Systems - C:\Program Files\Matrox X.tools\System\digisc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)
--
End of file - 10685 bytes
==================================================
__RiP_ChAiN_
2008-09-18, 08:40
Hello rcbroncos,
Using Add Or Remove Programs remove the following entries (if present): (To get into add Or Remove Programs press the START button > Control Panel > Add Or Remove Programs. ))
MalwareRemovalBot
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\Program Files\MalwareRemovalBot
C:\Documents and Settings\Ron Chandler\Application Data\MalwareRemovalBot
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MalwareRemovalBot"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
rcbroncos
2008-09-19, 05:41
Hi RipChain,
I've attached the results of the latest Combofix run below.
Was that program "Malwareremovalbot" a bad program?
Thanks, again for the continued help!
Ron
====================================================
(Combofix log)
ComboFix 08-09-16.05 - Ron Chandler 2008-09-18 21:04:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.553 [GMT -6:00]
Running from: C:\Documents and Settings\Ron Chandler\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ron Chandler\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Ron Chandler\Application Data\MalwareRemovalBot
C:\Documents and Settings\Ron Chandler\Application Data\MalwareRemovalBot\Log\2008 Sep 18 - 06_10_40 PM_250.log
C:\Documents and Settings\Ron Chandler\Application Data\MalwareRemovalBot\rs.dat
.
((((((((((((((((((((((((( Files Created from 2008-08-19 to 2008-09-19 )))))))))))))))))))))))))))))))
.
2008-09-17 20:46 . 2008-09-18 20:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-09-15 20:16 . 2008-09-15 20:16 59,477,232 --a------ C:\WINDOWS\SYSTEM32\SNAGIT7
2008-09-14 16:11 . 2008-09-14 16:13 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-14 16:11 . 2008-09-14 16:11 <DIR> d-------- C:\Documents and Settings\Ron Chandler\Application Data\Malwarebytes
2008-09-14 16:11 . 2008-09-14 16:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-14 16:11 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-14 16:11 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-13 15:54 . 2008-09-13 15:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-09 20:21 . 2008-09-09 20:35 <DIR> d-------- C:\Program Files\Security Task Manager
2008-09-09 20:21 . 2008-09-09 20:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-09-06 20:26 . 2008-09-07 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-30 11:44 . 2008-08-30 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-30 11:43 . 2008-08-30 11:36 160,792 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pctfw2.sys
2008-08-30 11:36 . 2008-08-30 11:41 <DIR> d-------- C:\Program Files\Common Files\PC Tools
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-19 03:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-19 00:42 --------- d-----w C:\Program Files\Spyware Doctor
2008-09-18 03:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-06 20:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-30 18:28 --------- d-----w C:\Program Files\Norton AntiVirus
2008-08-30 18:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-30 18:28 --------- d-----w C:\Documents and Settings\Ron Chandler\Application Data\Symantec
2008-08-30 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-30 17:59 --------- d-----w C:\Documents and Settings\Nancy Chandler\Application Data\Symantec
2008-08-30 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 06:29 --------- d-----w C:\Program Files\LogMeIn
2008-07-19 04:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-19 04:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 04:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 04:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-19 04:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 04:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 04:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2008-07-19 04:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 04:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-19 04:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 04:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-19 04:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 04:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-19 04:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 04:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-19 04:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2008-07-19 04:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-24 16:57 3,592,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2007-09-03 02:50 82,224 ------w C:\Documents and Settings\Ron Chandler\Application Data\GDIPFONTCACHEV1.DAT
2004-03-26 22:17 700 ---h--w C:\Documents and Settings\Ron Chandler\hpothb07.dat
2003-08-27 20:19 36,963 ------r C:\Program Files\Common Files\SM1updtr.dll
.
((((((((((((((((((((((((((((( snapshot@2008-09-15_21.36.03.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-27 01:49:48 1,011,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109010090400000000000F01FEC\12.0.4518\MSDAIPP.DLL
+ 2006-10-27 01:49:46 970,528 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109010090400000000000F01FEC\12.0.4518\MSONSEXT.DLL
+ 2006-10-27 21:00:10 576,376 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACACEDAO.DLL
+ 2006-10-27 03:18:12 162,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACCWIZ.DLL
+ 2006-10-27 21:00:12 1,751,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACECORE.DLL
+ 2006-10-27 21:00:10 576,376 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACEDAO.DLL
+ 2006-10-27 21:00:06 47,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACEERR.DLL
+ 2006-10-27 21:00:08 191,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACEES.DLL
+ 2006-10-27 02:13:34 338,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACEEXCH.DLL
+ 2006-10-27 02:13:44 629,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACEEXCL.DLL
+ 2006-10-27 02:13:28 207,736 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACELTS.DLL
+ 2006-10-27 02:13:32 279,352 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACEODBC.DLL
+ 2006-10-27 02:13:08 15,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACEODDBS.DLL
+ 2006-10-27 02:13:08 15,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACEODEXL.DLL
+ 2006-10-27 02:13:08 15,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACEODPDX.DLL
+ 2006-10-27 02:13:12 15,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACEODTXT.DLL
+ 2006-10-27 21:00:06 387,960 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACEOLEDB.DLL
+ 2006-10-27 02:13:38 392,048 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACEPDE.DLL
+ 2006-10-27 02:13:30 260,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACER2X.DLL
+ 2006-10-27 02:13:32 289,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACER3X.DLL
+ 2006-10-27 02:13:20 56,120 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACERCLR.DLL
+ 2006-10-27 02:13:38 551,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACEREP.DLL
+ 2006-10-27 02:13:30 224,104 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACETXT.DLL
+ 2006-10-27 21:40:34 208,760 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACEWSS.DLL
+ 2006-10-27 02:13:34 371,568 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ACEXBE.DLL
+ 2006-10-27 21:41:04 399,640 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\CDLMSO.DLL
+ 2006-10-27 01:59:24 205,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\CLVIEW.EXE
+ 2006-10-27 03:30:42 65,312 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\COLLIMP.DLL
+ 2006-10-27 02:12:52 189,760 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\CONTACTPICKER.DLL
+ 2006-10-27 06:48:08 234,784 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\DRAT.EXE
+ 2006-10-27 01:48:14 439,568 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\DWDCW20.DLL
+ 2006-10-26 20:10:08 1,190,688 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\FM20.DLL
+ 2006-10-26 20:04:58 75,576 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\FORM.DLL
+ 2006-10-27 01:21:24 1,682,232 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\FPSRVUTL.DLL
+ 2006-10-27 21:09:36 983,376 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\FPWEC.DLL
+ 2006-10-27 02:02:12 2,526,520 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GRAPH.EXE
+ 2006-10-27 21:37:44 338,216 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVE.EXE
+ 2006-10-27 21:38:02 6,191,400 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEACCOUNTMGR.DLL
+ 2006-10-27 21:37:44 284,448 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEAUDIO.DLL
+ 2006-10-27 06:47:54 65,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEAUDITSERVICE.EXE
+ 2006-10-27 21:37:40 34,088 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEAUTOPROXY.DLL
+ 2006-10-27 21:37:44 300,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVECALENDARTOOL.DLL
+ 2006-10-27 06:47:44 33,568 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVECLEAN.EXE
+ 2006-10-27 21:37:56 2,689,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVECOMMONCOMPONENTS.DLL
+ 2006-10-27 21:38:00 3,508,544 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVECOMMUNICATIONSSERVICES.DLL
+ 2006-10-27 21:37:40 117,584 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVECOMMUNICATIONSSTATUSANDCONTROL.DLL
+ 2006-10-27 21:37:50 768,304 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVECOMPONENTMGR.DLL
+ 2006-10-27 21:37:52 1,359,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVECRYPTO.DLL
+ 2006-10-27 06:48:24 377,136 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEDATAVIEWERTOOL.DLL
+ 2006-10-27 21:37:58 3,071,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEDOCUMENTSHARETOOL.DLL
+ 2006-10-27 21:37:44 284,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEFETCHSERVICES.DLL
+ 2006-10-27 06:48:00 197,920 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEGAMES.DLL
+ 2006-10-27 06:48:18 317,736 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEMIGRATOR.EXE
+ 2006-10-27 06:48:40 1,555,232 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEMISC.DLL
+ 2006-10-27 06:47:42 31,016 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEMONITOR.EXE
+ 2006-10-27 06:47:40 22,808 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVENEW.DLL
+ 2006-10-27 06:48:02 224,048 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEPROJECTTOOLSET.DLL
+ 2006-10-27 21:38:04 7,053,096 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVERESOURCE.DLL
+ 2006-10-27 06:48:42 2,210,608 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVESHELLEXTENSIONS.DLL
+ 2006-10-27 06:48:18 363,304 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVESKETCHTOOL.DLL
+ 2006-10-27 06:47:40 16,688 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVESTDURLLAUNCHER.EXE
+ 2006-10-27 21:37:56 2,738,472 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVESTORAGEMGR.DLL
+ 2006-10-27 21:37:38 35,112 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVESYSTEMMODE.DLL
+ 2006-10-27 06:48:02 222,512 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVESYSTEMSERVICES.DLL
+ 2006-10-27 21:37:50 1,163,048 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVETEXTTOOLS.DLL
+ 2006-10-27 21:38:00 4,746,536 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVETRANSCEIVER.DLL
+ 2006-10-27 21:37:54 1,396,008 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEUIFRAMEWORK.DLL
+ 2006-10-27 06:48:34 955,680 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEUTIL.DLL
+ 2006-10-27 21:37:40 268,080 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEWEBBROWSERTOOL2.DLL
+ 2006-10-27 06:48:26 572,216 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEWEBPLATFORMSERVICES.DLL
+ 2006-10-27 21:37:48 631,080 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\GROOVEWEBSERVICES.DLL
+ 2006-10-27 02:12:52 173,328 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\IEAWSDC.DLL
+ 2006-10-27 21:10:08 1,439,032 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\INFOPATH.EXE
+ 2006-10-27 21:10:10 5,456,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\IPDESIGN.DLL
+ 2006-10-27 21:10:10 5,281,592 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\IPEDITOR.DLL
+ 2006-10-27 03:42:00 176,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\IPOLK.DLL
+ 2006-10-27 01:55:10 828,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\MEDCAT.DLL
+ 2006-10-27 21:01:34 10,371,880 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\MSACCESS.EXE
+ 2006-10-27 03:18:06 66,880 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\MSAEXP30.DLL
+ 2006-10-26 19:58:14 117,552 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\MSCONV97.DLL
+ 2006-10-27 20:59:06 161,080 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\MSOCF.DLL
+ 2006-10-27 01:48:12 14,664 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\MSOCFU.DLL
+ 2006-10-27 02:12:58 428,816 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\MSODCW.DLL
+ 2006-10-27 03:13:36 26,936 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\MSOEURO.DLL
+ 2006-10-27 02:00:08 6,635,320 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\MSORES.DLL
+ 2006-10-26 19:56:36 436,520 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\MSORUN.DLL
+ 2006-10-27 01:50:04 672,024 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\MSQRY32.EXE
+ 2006-10-26 19:56:40 505,136 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\MSSOAP30.DLL
+ 2006-10-27 01:55:12 832,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\MSTORDB.EXE
+ 2006-10-27 01:55:06 538,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\MSTORES.DLL
+ 2006-10-27 02:12:30 65,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\NAME.DLL
+ 2006-10-27 21:14:34 14,151,456 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\OART.DLL
+ 2006-10-27 02:06:54 232,816 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ODEPLOY.EXE
+ 2006-10-27 02:14:06 7,033,152 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\OFFOWC.DLL
+ 2006-10-27 02:00:08 274,744 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\OIS.EXE
+ 2006-10-27 02:00:12 998,208 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\OISAPP.DLL
+ 2006-10-27 02:00:10 285,008 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\OISGRAPH.DLL
+ 2006-10-27 21:39:36 687,432 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ONBTTNOL.DLL
+ 2006-10-27 02:23:00 782,720 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\ONSYNCPC.DLL
+ 2006-10-27 02:07:04 6,536,992 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\OSETUP.DLL
+ 2006-07-27 00:53:56 459,080 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\OUTLFLTR.DLL
+ 2006-10-27 03:30:44 482,088 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\PORTCONN.DLL
+ 2006-10-27 01:52:10 2,012,480 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\PPTVIEW.EXE
+ 2006-10-26 20:05:00 77,144 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\PSOM.DLL
+ 2006-10-27 03:13:38 38,168 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\REFEDIT.DLL
+ 2006-10-27 03:42:12 744,808 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\REGFORM.EXE
+ 2006-10-26 20:04:44 19,784 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\REVERSE.DLL
+ 2006-10-27 02:13:00 503,624 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\SELFCERT.EXE
+ 2006-10-27 02:06:58 439,600 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\SETUP.EXE
+ 2006-10-27 03:18:16 502,608 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\SOA.DLL
+ 2006-07-28 21:21:58 277,320 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\SSGEN.DLL
+ 2006-10-27 20:57:08 2,330,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\STSLIST.DLL
+ 2006-10-26 20:04:48 29,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\THOCRAPI.DLL
+ 2006-10-26 20:05:04 126,784 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\TWCUTCHR.DLL
+ 2006-10-26 20:05:02 86,840 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\TWCUTLIN.DLL
+ 2006-10-26 20:04:56 58,168 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\TWLAY32.DLL
+ 2006-10-26 20:04:48 27,456 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\TWORIENT.DLL
+ 2006-10-26 20:04:54 51,008 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\TWRECE.DLL
+ 2006-10-26 20:04:44 19,784 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\TWRECS.DLL
+ 2006-10-26 20:04:58 76,624 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\TWSTRUCT.DLL
+ 2006-09-30 06:42:56 2,583,344 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\VBE6.DLL
+ 2006-10-27 04:58:38 3,732,792 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\VVIEWER.DLL
+ 2006-10-26 20:05:08 1,181,520 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\XIMAGE3B.DLL
+ 2006-10-26 20:05:08 530,760 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.4518\XPAGE3C.DLL
- 2008-01-21 17:14:51 217,864 ------r C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2008-09-18 03:57:10 217,864 ----a-r C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2008-09-10 04:31:19 1,165,584 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-09-18 03:54:26 1,165,584 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-09-10 04:31:21 20,240 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-09-18 03:54:27 20,240 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-09-10 04:31:19 159,504 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-09-18 03:54:27 159,504 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-09-10 04:31:19 184,080 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-09-18 03:54:27 184,080 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-09-10 04:31:20 217,864 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-09-18 03:54:27 217,864 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-09-10 04:31:21 18,704 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-09-18 03:54:27 18,704 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-09-10 04:31:22 35,088 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-09-18 03:54:27 35,088 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-09-10 04:31:19 845,584 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-09-18 03:54:27 845,584 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-09-10 04:31:20 922,384 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-09-18 03:54:27 922,384 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-09-10 04:31:20 272,648 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-09-18 03:54:27 272,648 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-09-10 04:31:21 888,080 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-09-18 03:54:27 888,080 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-09-10 04:31:19 1,172,240 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-09-18 03:54:27 1,172,240 ----a-r C:\WINDOWS\Installer\{91120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2006-10-26 20:10:08 1,190,688 ------w C:\WINDOWS\SYSTEM32\FM20.DLL
+ 2007-08-23 07:03:38 1,195,888 ----a-w C:\WINDOWS\SYSTEM32\FM20.DLL
- 2008-09-16 01:01:00 47,924 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-09-19 00:15:13 47,808 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-09-16 01:01:00 335,552 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-09-19 00:15:13 335,244 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2007-08-23 06:18:08 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2007-08-23 06:18:08 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2007-08-23 06:18:08 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2007-08-23 06:18:08 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2007-08-23 06:18:08 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2007-08-23 06:18:08 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2007-08-23 06:18:08 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2007-08-23 06:18:08 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2007-08-23 06:18:08 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\LaunchPd.exe" [2002-05-02 98304]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TCASUTIEXE"="TCAUDIAG -off" [X]
"DSOutputEnabler"="C:\Program Files\Matrox X.tools\DSOutputEnabler.exe" [2003-10-22 61549]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [2002-04-28 146432]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 94208]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 28672]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-10 196608]
"DellTouch"="C:\WINDOWS\MMKeybd.exe" [2001-09-05 163840]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"AHQInit"="C:\Program Files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-11-02 98304]
"HydraVisionDesktopManager"="C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe" [2002-06-07 262144]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2007-08-20 2483496]
"ATIPTA"="atiptaxx.exe" [2002-06-21 Panel\atiptaxx.exe]
"CTHelper"="CTHELPER.EXE" [2003-06-19 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-06-19 C:\WINDOWS\SYSTEM32\CTASIO.DLL]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\SYSTEM32\bthprops.cpl]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2006-02-23 67264]
C:\Documents and Settings\Ron Chandler\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2003-07-13 225280]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-01-03 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
SnagIt 7.lnk - C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe [2004-01-29 3325952]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXNEXRi]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 12:32 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"aux1"= ctwdm32.dll
"VIDC.PIM2"= RALCodec.dll
"vidc.dvsd"= digivcap.dll
"MSVIDEO"= MtxVidCap.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter]
--------- 2003-06-12 08:47 135168 C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
--------- 2002-12-03 17:06 45056 C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BthServ"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\mmc.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
R1 CINEMSUP;Cinemsup;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2002-07-19 6656]
R1 MemAlloc;MemAlloc;C:\WINDOWS\system32\DRIVERS\memalloc.sys [2002-01-29 5543]
R1 pctfw2;pctfw2;C:\WINDOWS\SYSTEM32\DRIVERS\pctfw2.sys [2008-08-30 160792]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
R2 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe [2001-08-06 28672]
R2 tcaicchg;tcaicchg;C:\WINDOWS\System32\tcaicchg.sys [2000-06-06 21233]
R2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys [2001-09-04 19534]
R3 dgcodec;dgcodec;C:\WINDOWS\system32\Drivers\dgcodec.sys [2003-10-22 3239335]
R3 dgvideo;dgvideo;C:\WINDOWS\system32\Drivers\dgvideo.sys [2003-10-22 1246503]
R3 digim2ba;digim2ba;C:\WINDOWS\system32\Drivers\digim2ba.sys [2003-10-22 7908]
R3 DigiPnp;DigiPnp;C:\WINDOWS\system32\Drivers\DigiPnp.sys [2003-10-22 7266]
R3 digisclk;digisclk;C:\WINDOWS\system32\Drivers\digisclk.sys [2003-10-22 9348]
R3 digismem;digismem;C:\WINDOWS\system32\Drivers\digismem.sys [2003-10-22 28868]
R3 digisnif;digisnif;C:\WINDOWS\system32\Drivers\digisnif.sys [2003-10-22 74244]
R3 flex3dio;flex3dio;C:\WINDOWS\system32\Drivers\flex3dio.sys [2003-10-22 72644]
R3 Msikbd2k;DellTouch;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2000-10-03 6942]
R3 mvkG550rt;mvkG550rt;C:\WINDOWS\system32\DRIVERS\mvkG550rt.sys [2003-10-22 2989319]
R3 MvkMiniVFX;mvkMiniVFX;C:\WINDOWS\system32\Drivers\MvkMiniVFX.sys [2003-10-22 35147]
R3 mvkRTXio;mvkRTXio;C:\WINDOWS\system32\DRIVERS\mvkRtXIo.sys [2003-10-22 64359]
R3 mvkVideoBus;mvkVideoBus;C:\WINDOWS\system32\DRIVERS\mvkMinicuda.sys [2003-10-22 48973]
S1 LStone;Pinnacle Systems Studio AV/DV Overlay;C:\WINDOWS\system32\DRIVERS\lstone2k.sys [ ]
S3 RioDrv;Rio600 driver;C:\WINDOWS\system32\Drivers\RioDrv.sys [2001-08-18 12032]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-01-08 15576]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 38144]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{4FCB2794-DAC4-4A04-9F78-2702CDE44BC8} - (no file)
BHO-{51B9EC5D-2C1A-42BC-AC44-DF4509ACFDB6} - (no file)
BHO-{E5738F13-507D-4947-B0A5-E2FDEC4A945B} - (no file)
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-18 21:08:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-18 21:11:43
ComboFix-quarantined-files.txt 2008-09-19 03:11:05
ComboFix2.txt 2008-09-16 03:36:43
Pre-Run: 6,100,512,768 bytes free
Post-Run: 6,091,448,320 bytes free
372 --- E O F --- 2008-09-19 02:28:12
(end of Combofix log)
=============================================
__RiP_ChAiN_
2008-09-19, 07:30
Hello rcbroncos,
Was that program "Malwareremovalbot" a bad program?
It's not technically malware in itself, but it is something called a rogue program which will bring up false detections of malware, and then ask you to pay for the removal of them.
Could you please go to C:\Program Files\Trend Micro\HijackThis\ and rename thie file HijackThis.exe into Nameless.exe and post a new log from there?
rcbroncos
2008-09-21, 02:43
Hi RipChain,
Below is the log file results aftern renaming "HiJackThis.exe" to "Nameless.exe" within that directory you specified. Just a note, I double-clicked on this file (the "Nameless.exe") instead of double-clicking the "HiJackThis" icon on my desktop. Below are the results of the scan.
Thanks, again for all your help.
==========================================================
(start of log file)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:32 PM, on 9/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Matrox X.tools\DSOutputEnabler.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Matrox X.tools\System\digisc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Nameless.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4FCB2794-DAC4-4A04-9F78-2702CDE44BC8} - (no file)
O2 - BHO: (no name) - {51B9EC5D-2C1A-42BC-AC44-DF4509ACFDB6} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {E5738F13-507D-4947-B0A5-E2FDEC4A945B} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [DSOutputEnabler] "C:\Program Files\Matrox X.tools\DSOutputEnabler.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: cbXNEXRi - C:\WINDOWS\
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DigiCtrl - Matrox Electronic Systems - C:\Program Files\Matrox X.tools\System\digisc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)
--
End of file - 11027 bytes
(end of log file)
====================================================
__RiP_ChAiN_
2008-09-22, 15:33
Hello rcbroncos,
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O2 - BHO: (no name) - {4FCB2794-DAC4-4A04-9F78-2702CDE44BC8} - (no file)
O2 - BHO: (no name) - {51B9EC5D-2C1A-42BC-AC44-DF4509ACFDB6} - (no file)
O2 - BHO: (no name) - {E5738F13-507D-4947-B0A5-E2FDEC4A945B} - (no file)
O20 - Winlogon Notify: cbXNEXRi - C:\WINDOWS\
O24 - Desktop Component 0: Privacy Protection - (no file)
Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.
Please run the F-Secure Online Scanner (http://support.f-secure.com/enu/home/ols3.shtml#)
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction Here (http://support.f-secure.com/enu/home/ols3.shtml) for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.
rcbroncos
2008-09-23, 13:16
Thanks, again RipChain.
Below is the log file from F-Secure:
========================================================
(start of logfile)
Scanning Report
Monday, September 22, 2008 21:43:17 - 05:13:11
Computer name: VIDEO
Scanning type: Scan system for malware, rootkits
Target: C:\ F:\ G:\ H:\
--------------------------------------------------------------------------------
Result: 7 malware found
TrackingCookie.Questionmarket (spyware)
System
TrackingCookie.Revsci (spyware)
System
Trojan.Win32.Obfuscated.gx (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP1193\A0123045.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP1193\A0123048.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP1193\A0123050.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FB160F56-3CF0-4E10-9E02-CF29FD976694}\RP1193\A0123054.EXE (Renamed & Submitted)
Vundo.gen197 (virus)
C:\WINDOWS\SYSTEM32\LWOWJGCF.INI (Submitted)
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 80489
System: 4925
Not scanned: 7
Actions:
Disinfected: 0
Renamed: 4
Deleted: 0
None: 3
Submitted: 5
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
--------------------------------------------------------------------------------
Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-09-23
F-Secure AVP: 7.0.171, 2008-09-22
F-Secure Pegasus: 1.20.0, 2008-08-09
F-Secure Blacklight: 2.2.1092
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics
--------------------------------------------------------------------------------
Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
(end of logfile)
=====================================================
__RiP_ChAiN_
2008-09-24, 00:35
Hello rcbroncos,
Please post back with a new HijackThis log, and an update on how your computer is running.
rcbroncos
2008-09-24, 04:21
RipChain,
The system seems to be running much, much faster! Thank you again for all your hard work and patience. You guys are the greatest.
Below is the recently run HiJackThis log file...
=======================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:23 PM, on 9/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Matrox X.tools\DSOutputEnabler.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Matrox X.tools\System\digisc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Nameless.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4FCB2794-DAC4-4A04-9F78-2702CDE44BC8} - (no file)
O2 - BHO: (no name) - {51B9EC5D-2C1A-42BC-AC44-DF4509ACFDB6} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {E5738F13-507D-4947-B0A5-E2FDEC4A945B} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [DSOutputEnabler] "C:\Program Files\Matrox X.tools\DSOutputEnabler.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: cbXNEXRi - C:\WINDOWS\
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DigiCtrl - Matrox Electronic Systems - C:\Program Files\Matrox X.tools\System\digisc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)
--
End of file - 11175 bytes
======================================================
__RiP_ChAiN_
2008-09-25, 10:01
Hello rcbroncos,
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O2 - BHO: (no name) - {4FCB2794-DAC4-4A04-9F78-2702CDE44BC8} - (no file)
O2 - BHO: (no name) - {51B9EC5D-2C1A-42BC-AC44-DF4509ACFDB6} - (no file)
O2 - BHO: (no name) - {E5738F13-507D-4947-B0A5-E2FDEC4A945B} - (no file)
O20 - Winlogon Notify: cbXNEXRi - C:\WINDOWS\
O24 - Desktop Component 0: Privacy Protection - (no file)
Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.
Then please post back with a fresh HijackThis log.
rcbroncos
2008-09-27, 15:38
Hi RipChain,
Thanks. Below is the attached log. As an fyi of the sequence of actions I took - I ran "Nameless.exe", checked the boxes you indicated, clicked "fix", closed "Nameless.exe", re-opened "Nameless.exe", and created the log file below.
Thanks.
======================================================
(log file)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:56 AM, on 9/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Matrox X.tools\DSOutputEnabler.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Matrox X.tools\System\digisc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Nameless.exe.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [DSOutputEnabler] "C:\Program Files\Matrox X.tools\DSOutputEnabler.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DigiCtrl - Matrox Electronic Systems - C:\Program Files\Matrox X.tools\System\digisc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)
--
End of file - 11031 bytes
(end of log file)
===================================================
__RiP_ChAiN_
2008-09-30, 16:23
Hello rcbroncos,
Time for some housekeeping
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)
* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)
Thank you for your patience, and performing all of the procedures requested.
rcbroncos
2008-10-03, 05:28
RipChain,
I can't thank you enough for your patience in guidance. Nice work!
Quick question for you. As you know I'm using Spywaredoctor for my AV protection. Previously I used Semantic, but when I realized I got the malware I chose to discontinue it in favor of something else. Semantic didn't even detect anything, whereas the Spywaredoctor did (in the free download trial thing). I've noticed though that Spywaredoctor uses quite a bit of CPU.
In your opinion, what would you recommend I go with for AV?
Thanks, again!
Ron
__RiP_ChAiN_
2008-10-05, 21:00
Hello rcbroncos,
I would personally recommend AVG Anti-virus (http://free.avg.com/). It has served me well for many years.
__RiP_ChAiN_
2008-10-12, 05:26
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.