View Full Version : Help with Virtumonde clean up
A few days ago Spybot SD picked up this bugger. I ran scans with Spybot SD, Malwarebytes' Anti-Malware, and AVG Free 8.0. Virtumonde didn't show up on the scans after I had the programs remove them but I'm still feeling the effects of this infection. Much slower than usual loading times for Windows, taking maybe three to four minutes. Some desktop icons disappearing for a few seconds and reappearing. Getting redirected to find.com when clicking on search results in Yahoo. Any help would be very much appreciated. Thanks in advance. Here's my HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:49 PM, on 12/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061115
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061115
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Dell Control Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.spyguardpro.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8748 bytes
Hello al5579
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your personal data before starting any clean up procedure.
Internet Explorer is needed to run this program properly.
Download: DelDomains (http://mvps.org/winhelp2002/DelDomains.inf) and save it to the desktop.
Close all open windows and your browser
Right Click DelDomains.inf and select > Install
Reboot your computer
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, it installs without your knowledge or consent, uses system resources and basically is not needed for anything.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Hello, ken545. I forgot to mention that ever since the infection was detected Spybot SD was starting up slower than usual as well and I noticed that the graphics in Internet Explorer are missing on the page and my Xfire chat program are missing graphics also. For both of them, the graphics are just text and a white box with shapes. As I was trying to open up Spybot SD to turn off the resident tea timer, it failed to open and all I saw was Spybot's bar in the Windows task bar. I managed to get it open on the second attempt and turned off the tea timer. My Online Armor was active and I had set it to ask me when programs are trying to run. Online Armor had blocked the installation of Combofix but when I went to the programs list it's status was Ask. I set it to allow Combofix to run and this time the installation ran. At one point, I thought that Online Armor was interfering with Combofix so I decided to turn off Online Armor and also disconnected my modem and router. As Combofix continued, it asked to download Microsoft Windows Recovery Console. I reactivated Online Armor and reconnected my modem and router. I clicked allow everytime a program alert from the firewall came up during the time Combofix was running, as I didn't want to block anything. I'm not sure if my explanation of what was happening helps. I hope I didn't make a mistake. Thanks for taking the time to help me. :)
ComboFix 08-12-06.03 - Allen 2008-12-06 16:13:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1462 [GMT -5:00]
Running from: c:\documents and settings\Allen\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\INSTALL.LOG
c:\windows\IE4 Error Log.txt
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\cbgatspn.ini
c:\windows\system32\TDSSirjixfml.dat
c:\windows\Tasks\tpnpmbir.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.
2008-12-05 21:44 . 2008-12-05 21:44 <DIR> d-------- c:\program files\Trend Micro
2008-12-04 22:30 . 2008-12-04 22:41 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-04 16:41 . 2008-12-04 16:41 <DIR> d-------- c:\documents and settings\Allen\Application Data\Malwarebytes
2008-12-04 16:40 . 2008-12-04 16:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 16:40 . 2008-12-04 16:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 16:40 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 16:40 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 22:51 . 2008-12-06 16:09 <DIR> d-------- c:\documents and settings\Allen\Application Data\OnlineArmor
2008-12-03 22:51 . 2008-12-04 23:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\OnlineArmor
2008-12-03 22:50 . 2008-12-03 22:50 <DIR> d-------- c:\program files\Tall Emu
2008-12-03 22:50 . 2008-11-26 17:18 178,376 --a------ c:\windows\system32\drivers\OADriver.sys
2008-12-03 22:50 . 2008-11-26 17:18 30,920 --a------ c:\windows\system32\drivers\OAmon.sys
2008-12-03 22:50 . 2008-11-26 17:18 28,872 --a------ c:\windows\system32\drivers\OAnet.sys
2008-12-03 21:11 . 2008-12-03 21:11 141,824 --a------ c:\windows\omojoqozi.dll
2008-12-03 20:39 . 2008-12-03 21:42 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-03 20:34 . 2008-12-06 15:20 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-03 20:34 . 2008-12-03 20:34 <DIR> d-------- c:\program files\AVG
2008-12-03 20:34 . 2008-12-03 20:34 <DIR> d-------- c:\documents and settings\Allen\Application Data\AVGTOOLBAR
2008-12-03 20:34 . 2008-12-03 20:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-03 20:34 . 2008-12-03 20:34 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-03 20:34 . 2008-12-03 20:34 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-03 20:34 . 2008-12-03 20:34 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-03 19:48 . 2008-12-03 19:48 141,824 --a------ c:\windows\ijibanovekegubix.dll
2008-11-27 13:31 . 2007-11-02 14:36 18,176 --a------ c:\windows\system32\drivers\motccgp.sys
2008-11-27 13:31 . 2007-01-23 19:03 7,680 --a------ c:\windows\system32\drivers\motccgpfl.sys
2008-11-27 13:31 . 2007-11-02 14:51 6,400 --a------ c:\windows\system32\drivers\motswch.sys
2008-11-27 13:25 . 2008-11-27 13:25 <DIR> d-------- c:\program files\Common Files\Motorola Shared
2008-11-27 13:25 . 2008-11-27 13:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\BVRP Software
2008-11-20 15:44 . 2008-11-20 15:44 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-11-11 20:29 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 20:29 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 06:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 06:11 --------- d-----w c:\documents and settings\Allen\Application Data\Xfire
2008-12-05 02:09 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-04 04:55 --------- d-s---w c:\program files\Xfire
2008-12-04 03:48 --------- d-----w c:\program files\BitComet
2008-11-29 00:19 --------- d-----w c:\program files\SmileyPad
2008-11-23 01:10 --------- d-----w c:\documents and settings\Allen\Application Data\Hamachi
2008-11-21 00:27 --------- d-----w c:\documents and settings\Allen\Application Data\teamspeak2
2008-11-18 17:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-30 06:22 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 04:16 --------- d-----w c:\documents and settings\Allen\Application Data\Move Networks
2008-10-19 03:17 --------- d-----w c:\documents and settings\Allen\Application Data\SystemRequirementsLab
2008-03-09 14:43 166 ---ha-w c:\documents and settings\Allen\hpothb07.dat
2008-04-02 22:57 88 --sh--r c:\windows\system32\9626B7DC46.sys
2008-04-02 22:58 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-03 17:01 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080320080804\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-15 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-21 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-03 1261336]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-11-26 6223048]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 c:\windows\stsystra.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Control Utility.lnk - c:\program files\TM1184\ControlUtility\ControlUtility.exe [2008-08-16 262144]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-15 24576]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 28672]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2008-11-26 886984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"prunnet"="c:\windows\system32\prunnet.exe"
"Jbuvutom"=rundll32.exe "c:\windows\Mdaxiga.dll",e
"Wzoromalokahub"=rundll32.exe "c:\windows\akonatuqicacepe.dll",e
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III - The WarChiefs Trial\\age3x.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Sierra\\SWAT 4\\Content\\System\\Swat4.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Rockstar Games\\Midnight Club 2\\mc2.exe"=
"c:\\Program Files\\Microsoft Games\\Freelancer\\EXE\\Freelancer.exe"=
"c:\\Program Files\\Sierra\\SWAT 4\\ContentExpansion\\System\\Swat4X.exe"=
"c:\\Program Files\\Sierra\\SWAT 4\\ContentExpansion\\System\\Swat4XDedicatedServer.exe"=
"c:\\Program Files\\WizardWorks\\911 - First Responders\\Em4.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\EA Games\\James Bond 007 Nightfire\\Bond.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Ubisoft\\Silent Hunter Wolves of the Pacific\\gu.exe"=
"c:\\Program Files\\Ubisoft\\Silent Hunter Wolves of the Pacific\\sh4.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23821:TCP"= 23821:TCP:BitComet 23821 TCP
"23821:UDP"= 23821:UDP:BitComet 23821 UDP
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-03 97928]
R1 OADevice;OADriver;\??\c:\windows\system32\drivers\OADriver.sys [2008-12-03 178376]
R1 OAmon;OAmon;\??\c:\windows\system32\drivers\OAmon.sys [2008-12-03 30920]
R1 OAnet;OAnet;\??\c:\windows\system32\drivers\OAnet.sys [2008-12-03 28872]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-03 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-03 76040]
R2 OAcat;Online Armor Helper Service;"c:\program files\Tall Emu\Online Armor\oacat.exe" [2008-12-03 1402568]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2008-12-03 3321032]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-11-27 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-11-27 7680]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-08-10 24652]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2008-07-23 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1208991377.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 23:52]
2008-12-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Allen\Application Data\Mozilla\Firefox\Profiles\i3no4edb.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\np_gp.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
.
------- File Associations -------
.
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 16:23:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1276)
c:\program files\Tall Emu\Online Armor\oawatch.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Tall Emu\Online Armor\oahlp.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-12-06 16:32:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 21:32:29
Pre-Run: 16,944,214,016 bytes free
Post-Run: 17,566,679,040 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
244 --- E O F --- 2008-12-04 19:43:14
Here's a new HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:57 PM, on 12/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061115
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Dell Control Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
--
End of file - 7616 bytes
Hello,
c:\program files\BitComet <--P2P (File Sharing Programs) have become the latest avenue of attack by malware writers so we have changed our forum policy. Think about it, the music file or whatever file you download is coming from an unknown source, its like playing Russian Roulette malware wise. If its still installed, uninstall it please because if you come back here reinfected and its still installed, help will not be offered.
We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.
Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.
We do not ask you to do this without reason.
P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.
Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
Read through the instructions for Combofix as far as disabling all AV and AS programs before running the tool.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
c:\windows\omojoqozi.dll
c:\windows\system32\prunnet.exe
c:\windows\Mdaxiga.dll
c:\windows\akonatuqicacepe.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"prunnet"=-
"Jbuvutom"=-
"Wzoromalokahub"=-
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Hi, ken545. I had uninstalled BitComet earlier and now it doesn't show up in the Add/Remove Programs list. I checked c:\program files, found the folder for BitComet and deleted it.
ComboFix 08-12-06.04 - Allen 2008-12-06 23:52:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1540 [GMT -5:00]
Running from: c:\documents and settings\Allen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Allen\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\akonatuqicacepe.dll
c:\windows\Mdaxiga.dll
c:\windows\omojoqozi.dll
c:\windows\system32\prunnet.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\omojoqozi.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.
2008-12-05 21:44 . 2008-12-05 21:44 <DIR> d-------- c:\program files\Trend Micro
2008-12-04 22:30 . 2008-12-04 22:41 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-04 16:41 . 2008-12-04 16:41 <DIR> d-------- c:\documents and settings\Allen\Application Data\Malwarebytes
2008-12-04 16:40 . 2008-12-04 16:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 16:40 . 2008-12-04 16:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 16:40 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 16:40 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 22:51 . 2008-12-07 00:02 <DIR> d-------- c:\documents and settings\Allen\Application Data\OnlineArmor
2008-12-03 22:51 . 2008-12-04 23:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\OnlineArmor
2008-12-03 22:50 . 2008-12-03 22:50 <DIR> d-------- c:\program files\Tall Emu
2008-12-03 22:50 . 2008-11-26 17:18 178,376 --a------ c:\windows\system32\drivers\OADriver.sys
2008-12-03 22:50 . 2008-11-26 17:18 30,920 --a------ c:\windows\system32\drivers\OAmon.sys
2008-12-03 22:50 . 2008-11-26 17:18 28,872 --a------ c:\windows\system32\drivers\OAnet.sys
2008-12-03 20:39 . 2008-12-03 21:42 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-03 20:34 . 2008-12-06 15:20 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-03 20:34 . 2008-12-03 20:34 <DIR> d-------- c:\program files\AVG
2008-12-03 20:34 . 2008-12-03 20:34 <DIR> d-------- c:\documents and settings\Allen\Application Data\AVGTOOLBAR
2008-12-03 20:34 . 2008-12-03 20:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-03 20:34 . 2008-12-03 20:34 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-03 20:34 . 2008-12-03 20:34 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-03 20:34 . 2008-12-03 20:34 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-03 19:48 . 2008-12-03 19:48 141,824 --a------ c:\windows\ijibanovekegubix.dll
2008-11-27 13:31 . 2007-11-02 14:36 18,176 --a------ c:\windows\system32\drivers\motccgp.sys
2008-11-27 13:31 . 2007-01-23 19:03 7,680 --a------ c:\windows\system32\drivers\motccgpfl.sys
2008-11-27 13:31 . 2007-11-02 14:51 6,400 --a------ c:\windows\system32\drivers\motswch.sys
2008-11-27 13:25 . 2008-11-27 13:25 <DIR> d-------- c:\program files\Common Files\Motorola Shared
2008-11-27 13:25 . 2008-11-27 13:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\BVRP Software
2008-11-20 15:44 . 2008-11-20 15:44 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-11-11 20:29 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 20:29 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 04:41 --------- d-----w c:\documents and settings\Allen\Application Data\Xfire
2008-12-05 06:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 02:09 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-04 04:55 --------- d-s---w c:\program files\Xfire
2008-11-29 00:19 --------- d-----w c:\program files\SmileyPad
2008-11-27 23:46 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2008-11-23 01:10 --------- d-----w c:\documents and settings\Allen\Application Data\Hamachi
2008-11-21 00:27 --------- d-----w c:\documents and settings\Allen\Application Data\teamspeak2
2008-11-18 17:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-30 06:22 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 04:16 --------- d-----w c:\documents and settings\Allen\Application Data\Move Networks
2008-10-19 03:17 --------- d-----w c:\documents and settings\Allen\Application Data\SystemRequirementsLab
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-03-09 14:43 166 ---ha-w c:\documents and settings\Allen\hpothb07.dat
2006-10-03 07:43 2,402,550 ----a-w c:\windows\inf\SET312.tmp
2004-08-10 10:00 1,431,144 ----a-w c:\windows\inf\SET385.tmp
2008-04-02 22:57 88 --sh--r c:\windows\system32\9626B7DC46.sys
2008-04-02 22:58 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-03 17:01 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080320080804\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-15 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-21 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-03 1261336]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-11-26 6223048]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 c:\windows\stsystra.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Control Utility.lnk - c:\program files\TM1184\ControlUtility\ControlUtility.exe [2008-08-16 262144]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-15 24576]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 28672]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2008-11-26 886984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III - The WarChiefs Trial\\age3x.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Sierra\\SWAT 4\\Content\\System\\Swat4.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Rockstar Games\\Midnight Club 2\\mc2.exe"=
"c:\\Program Files\\Microsoft Games\\Freelancer\\EXE\\Freelancer.exe"=
"c:\\Program Files\\Sierra\\SWAT 4\\ContentExpansion\\System\\Swat4X.exe"=
"c:\\Program Files\\Sierra\\SWAT 4\\ContentExpansion\\System\\Swat4XDedicatedServer.exe"=
"c:\\Program Files\\WizardWorks\\911 - First Responders\\Em4.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\EA Games\\James Bond 007 Nightfire\\Bond.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Ubisoft\\Silent Hunter Wolves of the Pacific\\gu.exe"=
"c:\\Program Files\\Ubisoft\\Silent Hunter Wolves of the Pacific\\sh4.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23821:TCP"= 23821:TCP:BitComet 23821 TCP
"23821:UDP"= 23821:UDP:BitComet 23821 UDP
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-03 97928]
R1 OADevice;OADriver;\??\c:\windows\system32\drivers\OADriver.sys [2008-12-03 178376]
R1 OAmon;OAmon;\??\c:\windows\system32\drivers\OAmon.sys [2008-12-03 30920]
R1 OAnet;OAnet;\??\c:\windows\system32\drivers\OAnet.sys [2008-12-03 28872]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-03 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-03 76040]
R2 OAcat;Online Armor Helper Service;"c:\program files\Tall Emu\Online Armor\oacat.exe" [2008-12-03 1402568]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2008-12-03 3321032]
S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-11-27 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-11-27 7680]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-08-10 24652]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2008-07-23 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1208991377.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 23:52]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Allen\Application Data\Mozilla\Firefox\Profiles\i3no4edb.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\np_gp.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2660)
c:\program files\Tall Emu\Online Armor\oawatch.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Tall Emu\Online Armor\oahlp.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-12-07 0:06:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 05:06:37
ComboFix2.txt 2008-12-06 21:32:49
Pre-Run: 17,538,662,400 bytes free
Post-Run: 17,524,662,272 bytes free
242 --- E O F --- 2008-12-04 19:43:14
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:06 AM, on 12/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061115
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Dell Control Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
--
End of file - 7385 bytes
Before we delete this file, lets check it first.
You need to enable windows to Show All Files and Folders
Click Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html) for instructions
Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.
c:\windows\ijibanovekegubix.dll
Here is the report.
Antivirus Version Last Update Result
AhnLab-V3 2008.12.6.0 2008.12.06 -
AntiVir 7.9.0.42 2008.12.07 -
Authentium 5.1.0.4 2008.12.06 -
Avast 4.8.1281.0 2008.12.06 -
AVG 8.0.0.199 2008.12.06 -
BitDefender 7.2 2008.12.07 -
CAT-QuickHeal 10.00 2008.12.06 -
ClamAV 0.94.1 2008.12.07 -
Comodo 698 2008.12.06 -
DrWeb 4.44.0.09170 2008.12.07 -
eSafe 7.0.17.0 2008.12.07 -
eTrust-Vet 31.6.6246 2008.12.05 -
Ewido 4.0 2008.12.07 -
F-Prot 4.4.4.56 2008.12.04 -
F-Secure 8.0.14332.0 2008.12.07 -
Fortinet 3.117.0.0 2008.12.07 -
GData 19 2008.12.07 -
Ikarus T3.1.1.45.0 2008.12.07 -
K7AntiVirus 7.10.547 2008.12.06 -
Kaspersky 7.0.0.125 2008.12.07 -
McAfee 5456 2008.12.06 -
McAfee+Artemis 5456 2008.12.06 -
Microsoft 1.4205 2008.12.07 -
NOD32 3668 2008.12.06 -
Norman 5.80.02 2008.12.05 -
Panda 9.0.0.4 2008.12.07 -
PCTools 4.4.2.0 2008.12.06 -
Prevx1 V2 2008.12.07 Malicious Software
Rising 21.06.62.00 2008.12.07 -
SecureWeb-Gateway 6.7.6 2008.12.07 -
Sophos 4.36.0 2008.12.07 -
Sunbelt 3.1.1832.2 2008.12.01 -
Symantec 10 2008.12.07 -
TheHacker 6.3.1.2.179 2008.12.06 -
TrendMicro 8.700.0.1004 2008.12.05 -
VBA32 3.12.8.10 2008.12.07 -
ViRobot 2008.12.6.1504 2008.12.06 -
VirusBuster 4.5.11.0 2008.12.05 -
Additional information
File size: 141824 bytes
MD5...: 99d62e7f4c6b8ebbec7ea5d0d6d280b9
SHA1..: 0c684214c496518e0bb300a1281f8197476b0892
SHA256: 27531dfe97c24f5625361ad8ff082c804bc3dfce0bedb1f4aa206cb324251689
SHA512: 502dc1b526be39cb4a7c8fc9835d7488bff4ef8ecf945f4273c28dfaf054150e
7cf085af0f36c989fb804ec6412ea039c081d24abfd4d569701134cbd1ca8d05
ssdeep: 3072:b6nKgUHBPYqkLisIQZA1JkvegcVyW4ITutJ0dPo:b6nKgUHFkLisW3Jgc8W
4
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x1000664c
timedatestamp.....: 0x485eccc0 (Sun Jun 22 22:05:52 2008)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1f000 0x11200 7.90 5e5854623773ed6ad3e4a557ec6b8c0a
.data 0x20000 0x11000 0x10200 6.35 db15c2c2dd9cfdea36472b51240869c1
.rsrc 0x31000 0x1000 0x400 3.16 cad826ab45e3b0243233e3ba6adeb8f5
.reloc 0x32000 0x1000 0x200 2.33 f54ea6e461a574a454404c1fabdefda4
( 5 imports )
> KERNEL32.dll: EnterCriticalSection, FreeLibrary, GetEnvironmentStringsA, GetFileType, GetSystemDirectoryA, GetSystemTimeAsFileTime, HeapAlloc, HeapCreate, OpenProcess, SetEnvironmentVariableA, lstrcmpA, lstrcpynA, lstrlenA
> msvcrt.dll: __p__fmode, wcslen, malloc
> user32.dll: GetSystemMetrics, PtInRect, SetCapture, GetUserObjectSecurity, PostMessageA, GetWindowThreadProcessId
> OLEAUT32.dll: -, -, -, -, -, -
> SHLWAPI.dll: PathBuildRootA, PathFileExistsA, SHDeleteEmptyKeyA, SHSetValueA, StrStrA, StrToIntA, PathAppendA
( 0 exports )
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=8731309400D32D3C2A6A02EE008FFC006A67DA47' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=8731309400D32D3C2A6A02EE008FFC006A67DA47</a>
I dont think its anything to worry about.
How is your system running now???
It seems better now. There are a few things that are still running slow though. Though I noticed the control utility for my router is open during start up. Normally, the utility window is open for about one second and then disappears. It also takes longer for my AVG and Online Armor icons to show up next to the clock in the task bar. Plus, when I move my mouse over the task bar it shows as busy for maybe three minutes.
Before I let you go, lets do an online virus scan and if it comes up clean I can link you to some windows support sites that deal with slow computers.
Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
I see a check box with Yes, I accept the terms of use but I don't see a start button. The graphics in IE still aren't there. The same goes for my Xfire chat program. I forgot to mention in my previous post that Spybot S&D is still starting up slower than usual as well.
Open Internet Explorer and go to Tools> Internet Options> Advanced Tab and click on Reset Internet Explorer Setting.. When its done, close out IE and then open it again and see if that made a difference.
The graphics are back now in IE as well as Xfire. It seems Xfire uses IE.
I checked the check box and clicked on start but it came out with this: HTTP 404 Not Found.
Try this one
Run this free online scan using Internet Explorer:
Kaspersky Online Virus Scanner (http://www.kaspersky.com/virusscanner)
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan: Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.
Logs as requested:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 8, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 08, 2008 01:30:05
Records in database: 1443164
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
Scan statistics:
Files scanned: 127869
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:49:24
No malware has been detected. The scan area is clean.
The selected area was scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:16 AM, on 12/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Allen\Local Settings\Temp\jkos-Allen\binaries\ScanningProcess.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Dell Control Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
--
End of file - 7433 bytes
Your fine, I am linking you to some windows support sites that deal with issues like slow startups and such, you can post there , just as we are better at malware removal , there better at windows issues.
Windows Tech Support Forums
Windows Helpnet (http://www.windowsbbs.com/) <-- Excellent XP Forum
PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here.
It's Not Always Malware
Slow Computer (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)
Microsoft (http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx)
Speedup Windows
TechBuilder (http://www.techbuilder.org/recipes/59201471)
Windows Tips
Techruler (http://www.techruler.com/tips.html#1)
Kellys Korner (http://www.kellys-korner-xp.com/xp_abc.htm)
DelDomains <--- Drag it to the trash
ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Hijackthis <---Your call, hopefully you won't need it again, if you do you can redownload it
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ? <--- Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
Hi, ken545. Thanks for the help. I booted up my computer today and it's now back to normal loading times. Some things I noticed though. My router's control utility at start up is still loading a bit slow but faster than last time. The window for the utility still stays open though, so I guess I might have to reinstall it. I'll check the manual first. I also noticed some programs in Add or Remove Programs I haven't seen before the infection. Avanquest Update and Mirar. I blocked Mirar when it first came up as I was suspicious of it but I'm not sure about Avanquest Update. I will certainly go to the links you have provided. Thanks again. :)
Avanquest <-- Legit program, if you don't use it than uninstall it
Mirar <--Adware
I don't see either of these programs on any of your logs.
C:\Program Files\Mirar <--Delete this folder
If the folder is not there than you can open the add remove programs and right click on it and remove it from the list
Ken:)
I can't seem to get rid of Mirar from my programs list. I can't find Mirar in C:\Program Files either.
First lets clean out your System Restore Program as all we removed is backed up in there.
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
Go to Start> All Programs> Assessories> System Tools> System Restore> Create a New Restore Point
System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
DO NOT PROCEED WITH THE FIX UNLESS YOU HAVE CREATED A NEW RESTORE POINT SUCCESSFULLY
Where going to edit the Registry, be very careful and delete this key only.
Go to Start> Run and type in regedit
Open HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall.
Right click on Mirar and select Delete
Then click on File> Exit
Reboot and it should be gone
I successfully created a new System Restore point. I followed the path you gave for the Registry but I can't find Mirar.
I forgot to mention that Spybot SD is still loading up slow. Oh, and before I forget, since I have Spyware Blaster installed I did not reactivate TeaTimer. I still have Windows Defender installed, so should I reactivate the real time protection for that or will it interfere with Spyware Blaster or AVG 8 Free?
Thanks for being patient. I always seem to think of something minutes after I post. I'm used to having an edit button while on forums. :p:
That's fine, it may not be present, I don't see the actual program installed and there is no folder for it on your C:\Program Files.
Keep the TeatTimer disabled if you use those other programs ( recommended ) because they will conflict.
Why don;t you uninstall Spybot and grab the latest version, I remember a version a few back that did load slow
http://www.safer-networking.org/en/home/index.html
You can also post in there form for help with it
http://forums.spybot.info/forumdisplay.php?f=4
Take Care,
Ken :)
Well, ok. I tried removing it from the programs list and when I clicked on Change/Remove a window labeled remove.getmirar.com opened. The window was blank, I'm guessing my hosts file or my firewall had blocked it from accessing that site.
Well, thanks a lot Ken. I still have a few questions though but I think the main purpose of this thread has been carried out. I'll ask the questions in the appropriate forum. :)
Sorry to bother like this.
I used Firefox to do a Google search for Safer Networking Forums, just to make sure there aren't any redirects to any other site when I click on a valid link to here. When I hover my mouse over the link Google found, the status bar indicates forums.spybot.info/index.php which I already know as a valid link to this forum. But when I click it, I get redirected to another site. I watched the status bar and it said redirection.goored.com and rdrct.google.goored.com. The result was I ended up at findstuff.com. I had previously dealt with browser hijackers in the past so I know it's a sign of something wrong. I ran a scan with Spybot S&D yesterday and it found nothing.
What version of Firefox do you have?? You should have version 3.0.4. Open Firefox and go to Tools> Options and on the Main tab click on Manage Add Ons, click on both Extensions and Plugins and if you see any mention of goored.com.if so remove it.
If its not present, run this quick scan, it wont remove anything but I need to see the report
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
I have Firefox version 3.0.4. I see Move Media player under extensions and plugins and I see a MetaStream 3 plugin. No mention of goored.com.
I downloaded a new version of Spybot SD at the home page as you suggested. Turns out I do have the latest version because the installation file I have is the same. Still, I downloaded the install file, uninstalled Spybot and used the newly downloaded file to reinstall. It boots up much faster now. :)
log.txt
Logfile of random's system information tool 1.04 (written by random/random)
Run by Allen at 2008-12-09 13:44:34
Microsoft Windows XP Professional Service Pack 3
System drive C: has 23 GB (32%) free of 71 GB
Total RAM: 2046 MB (69% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:13 PM, on 12/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Xfire\xfire.exe
C:\Documents and Settings\Allen\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\Allen.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Dell Control Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
--
End of file - 7540 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1208991377.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-12-03 2055960]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-09-29 67584]
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe [2005-10-05 94208]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2006-08-15 282624]
"ATICCC"=C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [2006-01-02 45056]
"DLA"=C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2005-09-08 122940]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-07-27 81920]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-11-15 98304]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-04-21 185896]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-12-03 1261336]
"@OnlineArmor GUI"=C:\Program Files\Tall Emu\Online Armor\oaui.exe [2008-11-26 6223048]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"=C:\Program Files\Dell Support\DSAgnt.exe [2006-07-16 389120]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Dell Control Utility.lnk - C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"=C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2008-11-26 886984]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Microsoft Games\Age of Empires III - The WarChiefs Trial\age3x.exe"="C:\Program Files\Microsoft Games\Age of Empires III - The WarChiefs Trial\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs Trial"
"C:\Program Files\Xfire\xfire.exe"="C:\Program Files\Xfire\xfire.exe:*:Enabled:Xfire"
"C:\Program Files\Sierra\SWAT 4\Content\System\Swat4.exe"="C:\Program Files\Sierra\SWAT 4\Content\System\Swat4.exe:*:Enabled:SWAT 4"
"C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe"="C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\Program Files\Microsoft Games\Halo\halo.exe"="C:\Program Files\Microsoft Games\Halo\halo.exe:*:Enabled:Halo"
"C:\Program Files\Rockstar Games\Midnight Club 2\mc2.exe"="C:\Program Files\Rockstar Games\Midnight Club 2\mc2.exe:*:Enabled:mc2"
"C:\Program Files\Microsoft Games\Freelancer\EXE\Freelancer.exe"="C:\Program Files\Microsoft Games\Freelancer\EXE\Freelancer.exe:*:Enabled:Freelancer"
"C:\Program Files\Sierra\SWAT 4\ContentExpansion\System\Swat4X.exe"="C:\Program Files\Sierra\SWAT 4\ContentExpansion\System\Swat4X.exe:*:Enabled:SWAT 4 - The Stetchkov Syndicate"
"C:\Program Files\Sierra\SWAT 4\ContentExpansion\System\Swat4XDedicatedServer.exe"="C:\Program Files\Sierra\SWAT 4\ContentExpansion\System\Swat4XDedicatedServer.exe:*:Enabled:SWAT 4 - The Stetchkov Syndicate Dedicated Server"
"C:\Program Files\WizardWorks\911 - First Responders\Em4.exe"="C:\Program Files\WizardWorks\911 - First Responders\Em4.exe:*:Enabled:Em4"
"C:\Program Files\Sierra Entertainment\World in Conflict\wic.exe"="C:\Program Files\Sierra Entertainment\World in Conflict\wic.exe:*:Enabled:World in Conflict"
"C:\Program Files\Sierra Entertainment\World in Conflict\wic_online.exe"="C:\Program Files\Sierra Entertainment\World in Conflict\wic_online.exe:*:Enabled:World in Conflict - Online Only"
"C:\Program Files\Sierra Entertainment\World in Conflict\wic_ds.exe"="C:\Program Files\Sierra Entertainment\World in Conflict\wic_ds.exe:*:Enabled:World in Conflict - Dedicated Server"
"C:\Program Files\EA Games\James Bond 007 Nightfire\Bond.exe"="C:\Program Files\EA Games\James Bond 007 Nightfire\Bond.exe:*:Enabled:Bond"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Ubisoft\Silent Hunter Wolves of the Pacific\gu.exe"="C:\Program Files\Ubisoft\Silent Hunter Wolves of the Pacific\gu.exe:*:Enabled:Run Silent Hunter Wolves of the Pacific"
"C:\Program Files\Ubisoft\Silent Hunter Wolves of the Pacific\sh4.exe"="C:\Program Files\Ubisoft\Silent Hunter Wolves of the Pacific\sh4.exe:*:Enabled:Silent Hunter IV"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
shell\AutoRun\command - E:\setup.exe
======List of files/folders created in the last 1 months======
2008-12-09 13:44:34 ----D---- C:\rsit
2008-12-09 00:51:42 ----D---- C:\WINDOWS\pss
2008-12-08 19:06:29 ----D---- C:\ComboFix
2008-12-07 22:41:56 ----SHD---- C:\RECYCLER
2008-12-07 00:06:57 ----D---- C:\WINDOWS\temp
2008-12-07 00:06:54 ----A---- C:\ComboFix.txt
2008-12-06 16:11:46 ----A---- C:\Boot.bak
2008-12-06 16:11:16 ----RASHD---- C:\cmdcons
2008-12-06 16:08:02 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-06 16:07:55 ----D---- C:\WINDOWS\ERDNT
2008-12-06 15:12:26 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-05 21:44:08 ----D---- C:\Program Files\Trend Micro
2008-12-04 22:30:24 ----D---- C:\Program Files\SpywareBlaster
2008-12-04 16:41:04 ----D---- C:\Documents and Settings\Allen\Application Data\Malwarebytes
2008-12-04 16:40:53 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-04 16:40:52 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-03 22:51:07 ----D---- C:\Documents and Settings\Allen\Application Data\OnlineArmor
2008-12-03 22:51:07 ----D---- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-12-03 22:50:35 ----D---- C:\Program Files\Tall Emu
2008-12-03 20:39:22 ----HD---- C:\$AVG8.VAULT$
2008-12-03 20:34:26 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-12-03 20:34:19 ----D---- C:\Documents and Settings\Allen\Application Data\AVGTOOLBAR
2008-12-03 20:34:00 ----D---- C:\Program Files\AVG
2008-12-03 20:34:00 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-12-03 19:48:32 ----A---- C:\WINDOWS\ijibanovekegubix.dll
2008-12-03 19:01:11 ----D---- C:\WINDOWS\Minidump
2008-12-03 18:44:22 ----A---- C:\WINDOWS\system32\4b8e9747-.txt
2008-11-27 13:25:14 ----D---- C:\Program Files\Common Files\Motorola Shared
2008-11-27 13:25:02 ----D---- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-11-20 15:44:26 ----A---- C:\WINDOWS\system32\xfcodec.dll
2008-11-12 01:40:04 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 01:39:59 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 01:39:51 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
======List of files/folders modified in the last 1 months======
2008-12-09 13:44:29 ----D---- C:\WINDOWS\Prefetch
2008-12-09 13:42:27 ----D---- C:\Program Files\Mozilla Firefox
2008-12-09 13:26:01 ----D---- C:\Documents and Settings\Allen\Application Data\Xfire
2008-12-09 12:23:50 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-09 12:21:49 ----A---- C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt
2008-12-09 12:20:19 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-09 11:26:56 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-09 11:23:21 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-12-09 11:19:02 ----D---- C:\WINDOWS
2008-12-09 11:16:27 ----D---- C:\WINDOWS\Registration
2008-12-09 01:17:54 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-09 00:35:53 ----A---- C:\WINDOWS\system32\CmdLineExt03.dll
2008-12-08 22:39:46 ----D---- C:\WINDOWS\system32\Restore
2008-12-08 22:39:45 ----SHD---- C:\System Volume Information
2008-12-08 21:11:21 ----D---- C:\Program Files
2008-12-08 21:06:58 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-08 19:06:53 ----D---- C:\WINDOWS\system32
2008-12-07 00:07:37 ----D---- C:\WINDOWS\system32\drivers
2008-12-07 00:01:17 ----A---- C:\WINDOWS\system.ini
2008-12-06 23:58:49 ----D---- C:\WINDOWS\system32\config
2008-12-06 23:56:17 ----D---- C:\WINDOWS\AppPatch
2008-12-06 23:56:17 ----D---- C:\Program Files\Common Files
2008-12-06 23:40:46 ----SD---- C:\WINDOWS\Tasks
2008-12-06 16:11:46 ----RASH---- C:\boot.ini
2008-12-04 21:09:05 ----SHD---- C:\WINDOWS\Installer
2008-12-03 23:55:06 ----SD---- C:\Program Files\Xfire
2008-12-03 20:33:47 ----D---- C:\WINDOWS\WinSxS
2008-12-03 20:33:47 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-12-03 20:30:25 ----SD---- C:\Documents and Settings\Allen\Application Data\Microsoft
2008-12-03 19:31:24 ----A---- C:\WINDOWS\wininit.ini
2008-11-28 19:19:17 ----D---- C:\Program Files\SmileyPad
2008-11-27 13:33:00 ----HD---- C:\WINDOWS\inf
2008-11-27 13:31:13 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-11-23 12:37:47 ----SHD---- C:\WINDOWS\system32\dllcache
2008-11-22 20:10:17 ----D---- C:\Documents and Settings\Allen\Application Data\Hamachi
2008-11-22 14:05:32 ----D---- C:\WINDOWS\Help
2008-11-20 19:27:01 ----D---- C:\Documents and Settings\Allen\Application Data\teamspeak2
2008-11-12 01:40:03 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-12 01:40:02 ----A---- C:\WINDOWS\imsins.BAK
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-06-18 36864]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-12-03 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-12-03 26824]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 OADevice;OADriver; \??\C:\WINDOWS\system32\drivers\OADriver.sys []
R1 OAmon;OAmon; \??\C:\WINDOWS\system32\drivers\OAmon.sys []
R1 OAnet;OAnet; \??\C:\WINDOWS\system32\drivers\OAnet.sys []
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-12-03 76040]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-09-08 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-09-08 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-09-08 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-09-08 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-09-08 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-09-08 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-09-08 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-06-07 1580544]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2006-08-14 44544]
R3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2008-04-15 25280]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
R3 IPFilter;Microsoft IntelliPoint Features driver; C:\WINDOWS\system32\DRIVERS\IPFilter.sys [2002-04-11 11136]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2006-08-15 1171464]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 DSproct;DSproct; \??\C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys []
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-03-09 51024]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-03-09 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2003-03-09 21456]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 motccgp;Motorola USB Composite Device Driver; C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
S3 motccgpfl;MotCcgpFlService; C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
S3 MotoSwitchService;MotoSwitch Service; C:\WINDOWS\system32\DRIVERS\motswch.sys [2007-11-02 6400]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-06-07 409600]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-12-03 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R2 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe [2005-06-02 86606]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2005-12-15 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 OAcat;Online Armor Helper Service; C:\Program Files\Tall Emu\Online Armor\oacat.exe [2008-11-26 1402568]
R2 SvcOnlineArmor;Online Armor; C:\Program Files\Tall Emu\Online Armor\oasrv.exe [2008-11-26 3321032]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2003-03-09 65795]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe []
-----------------EOF-----------------
info.txt
info.txt logfile of random's system information tool 1.04 2008-12-09 13:45:16
======Uninstall list======
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
911 - First Responders-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{80AE0E0A-5579-4015-9C1A-35F2F2CE5673}\setup.exe" -l0x9
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8.1.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Age of Empires III - The Asian Dynasties Trial-->C:\Program Files\InstallShield Installation Information\{63415CB1-3C97-4D9C-980D-336710EB0526}\setup.exe -runfromtemp -l0x0409
Age of Empires III - The WarChiefs Trial-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{ABFE9B50-BA4B-4FDF-A943-EA025119DBED}
Age of Empires III Trial-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{25B25C84-6132-4662-972B-4E4DC1B00C98}
AIM 6-->C:\Program Files\AIM6\uninst.exe
AOLIcon-->MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
ATI Catalyst Control Center-->MsiExec.exe /I{2CA41BA1-9842-4819-8ABB-76FDC14AB9EA}
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BC-Mod Installer .NET - FINAL Version-->"C:\Program Files\BC-Mod Installer .NET\uninstall.exe"
Broadcom Management Programs-->MsiExec.exe /I{FB64BF25-3593-4E4E-AA85-84AEF1D1475F}
Canon Camera Access Library-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{901F8ED7-13E8-43EF-B738-2FE89B0588EB} /l1033
Canon Camera Support Core Library-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A1D0D14A-B776-4907-BC00-5149F2298086} /l1033
Canon Camera Window DC_DV 5 for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A2EB8F2E-6D9B-4F8B-96EB-F976D33F416F}
Canon Camera Window DC_DV 6 for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{50E25180-3BDC-4B6D-80A2-3F1F0C9CF39D}
Canon Camera Window DSLR 5 for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{0A146245-DB79-4197-BF5D-FE1A699A2CC7}
Canon Camera Window MC 6 for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{6C3A75A6-9A90-44A3-A703-82AC1EA6A85D}
Canon MovieEdit Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4DBBF091-FACD-422C-B43C-786335BD5398}
Canon PhotoRecord-->MsiExec.exe /X{BBBC2B89-E193-4348-A83C-C8DD8210A4AC}
Canon RAW Image Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}
Canon Utilities PhotoStitch 3.1-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6}
Canon ZoomBrowser EX (E)-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
Conexant D850 56K V.9x DFVc Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
ControlUtility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DCB91C79-B78B-44B1-A7FE-28DECA6E9245}\setup.exe"
Corel Snapfire Plus-->MsiExec.exe /I{7ADE3A47-B425-45E9-8FF6-11BE2B775645}
Dell CinePlayer-->MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}
Dell Support 3.2-->MsiExec.exe /X{3846E811-639D-4DE1-844B-30491C0A6C0C}
Digital Content Portal-->MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}
Digital Line Detect-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader-->C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Documentation & Support Launcher-->MsiExec.exe /X{B0DF58A2-40DF-4465-AA56-38623EC9938C}
EducateU-->MsiExec.exe /I{A683A2C0-821C-486F-858C-FA634DB5E864}
Fraps-->"C:\Fraps\uninstall.exe"
Freelancer-->"C:\Program Files\Microsoft Games\Freelancer\UNINSTAL.EXE" /runtemp /addremove
Games, Music, & Photos Launcher-->MsiExec.exe /X{B6884A07-0305-47AE-9969-8F26FADC17DE}
GameShadow-->MsiExec.exe /I{D50BB830-3961-48EB-83D9-03A04C63534F}
GameSpot Download Manager-->"C:\Program Files\GameSpot\uninstall.exe"
getPlus(R)_dll-->rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSd.INF, DefaultUninstall
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Video Player-->"C:\Program Files\Google\Google Video Player\Uninstall.exe"
Hamachi 1.0.3.0-->C:\Program Files\Hamachi\uninstall.exe
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Player 10 (KB903157)-->"C:\WINDOWS\$NtUninstallKB903157$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Memories Disc-->MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Photo and Imaging 2.0 - All-in-One Drivers-->MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - All-in-One-->MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - hp psc 1200 series-->C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
hp psc 1200 series-->MsiExec.exe /X{C900EF06-2E76-49C7-8DB0-41F629B21DC5}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Encarta Encyclopedia Standard 2005-->MsiExec.exe /I{05410044-64A6-4248-A026-9745C1E9E159}
Microsoft Halo-->"C:\Program Files\Microsoft Games\Halo\UNINSTAL.EXE" /runtemp /addremove
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Small Business Edition 2003-->MsiExec.exe /I{91CA0409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer-->MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE-->MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Streets and Trips 2005-->MsiExec.exe /I{67E4EE98-59F4-4210-89A6-A20AF5BEC689}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Modem Diagnostic Tool-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C252EB7B-7AE0-46DE-9BEE-DF681B885F13}\setup.exe" -l0x9 -removeonly
Motorola Driver Installation 3.2.0-->MsiExec.exe /I{D6A1E429-CCE1-4140-A615-710B806D12BA}
Motorola Phone Tools-->C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe -runfromtemp -l0x0009 -removeonly
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
NetWaiting-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Online Armor 3.0-->"C:\Program Files\Tall Emu\Online Armor\unins000.exe"
OTOY-->RunDll32 C:\WINDOWS\DOWNLO~1\OTOYAX.dll,_RemoveGroove@16
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine-->MsiExec.exe /I{84F1DE76-C48C-4281-87A0-CC9548D1E7F9}
Roxio DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Roxio RecordNow Audio-->MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio RecordNow Copy-->MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio RecordNow Data-->MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
SearchAssist-->C:\DELL\SearchAssist\UninstSA.bat
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Silent Hunter Wolves of the Pacific-->C:\Program Files\InstallShield Installation Information\{0D005F09-A5F4-473B-A901-5735C6AF5628}\Setup.exe -runfromtemp -l0x0009 -removeonly
SmileyPad v2.28-->"C:\Program Files\SmileyPad\unins000.exe"
Sonic Activation Module-->MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
Sonic Encoders-->MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
Star Trek Bridge Commander-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Activision\Bridge Commander\stbc.isu"
SWAT 4 - The Stetchkov Syndicate-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{97E12F84-C033-4DA2-97D2-F540C3E292EA} uninstall
SWAT 4-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8} uninstall
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
TeamSpeak 2 RC2-->"C:\Program Files\Teamspeak2_RC2\unins000.exe"
Update for Windows Media Player 10 (KB913800)-->"C:\WINDOWS\$NtUninstallKB913800$\spuninst\spuninst.exe"
Update for Windows Media Player 10 (KB926251)-->"C:\WINDOWS\$NtUninstallKB926251$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005-->C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
URL Assistant-->regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant-->MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]-->C:\WINDOWS\$NtUninstallEmeraldQFE2$\spuninst\spuninst.exe
Windows Media Player 10-->MsiExec.exe /I{33BB4982-DC52-4886-A03B-F4C5C80BEE89}
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows XP Media Center Edition 2005 KB908246-->"C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766-->"C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
World in Conflict-->C:\Program Files\InstallShield Installation Information\{F11ADC64-C89E-47F4-A0B3-3665FF859397}\setup.exe -runfromtemp -l0x0009 -removeonly
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"
Yahoo! Music Jukebox-->MsiExec.exe /X{7C49EA42-5647-4051-84C2-E6404F25A931}
=====HijackThis Backups=====
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
======Hosts File======
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
======Security center information======
AV: AVG Anti-Virus Free
FW: Online Armor Firewall
FW: Norton Internet Worm Protection (disabled)
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE;C:\Program Files\Common Files\Roxio Shared\DLLShared
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 79 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=4f02
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
-----------------EOF-----------------
Hello,
Remove these entries with HJT
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
Can't find anything bad on your logs.
Lets try uninstalling Firefox from the Add Remove Programs.
C:\Program Files\Mozilla Firefox <----Then delete this folder.
Reboot and then reinstall Firefox and see if that made a difference
http://www.mozilla.com/en-US/firefox/
Ok, I removed the entries with HJT and reinstalled Firefox. I tried doing the search for this forum on Google again. Again, I saw goored.com in the status and address bar when I clicked on the link. It tried to access toseeka.com but it came out as a Page Load Error. When I clicked the Back button and click on the link again, I got to the forum. I also tried the same search on Yahoo, clicked on the link, and it redirected me to FindStuff.com. However, when I used the AVG toolbar there was no redirect and I got right to the forum.
Born and raised 144th and St Anns....a loooooooong time ago
Download the HostsXpert 4.2.0.0. - Hosts File Manager (http://www.funkytoad.com/download/HostsXpert.zip).
Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
See if this helped
Born in Manhattan, raised near E. 177th, Parkchester. :)
Looks like that did the trick. Thanks. Since the hosts file is changed, do I have to redo the immunizations for Spybot and Spyware Blaster? If yes, I'll do so.
Thanks again, Ken. I'll again check the links you provided for tips on speeding up my system. :)
Thats great, yes redo both immunization on both programs. Spybot also has the option to lock the hosts file so that it can't be changed. I am on a computer with no Spybot so I cant direct you, but read the tutorial.
Take care,
Ken
I still have some doubts about the goored.com. I know that I said it seemed to work but last night after my last post when I first clicked on the link it got me directly to the forums. But when I clicked Back and clicked on it again just to make sure it was completely fixed, goored came back again. Perhaps, I missed something? Spybot SD and Malwarebyte's didn't pick anything up.
We need to dig deeper, there is a registry key responsible for Goored
Download DNS Check (http://billy-oneal.com/dnscheck/DNSCheck.exe) to your Desktop
Double click DNSCheck.exe (allow it through your firewall if asked)
Follow the on-screen instructions. When done, a log will open, and be saved to the desktop.
Please copy and paste that log in your next reply.
Download RegQuery (http://rathat.geekstogo.com/Applications/RegQuery.exe) to your Desktop.
Double click RegQuery.exe to run the program.
Copy and paste the following Registry key path into where it says Enter key name.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox
Click the Query button.
A Notepad file opens. Please copy and paste the contents back here.
Download DirLook (http://jpshortstuff.247fixes.com/DirLook.exe)
Double-click DirLook.exe to run it.
Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
Copy the content of the following codebox into the textfield labeled "Directory
Just fill in your user name.
c:\documents and settings\-->user name<--\Local Settings\Application Data
Click the DirLook button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply
Note: The log can also be found at C:\dl_log.txt)
Logs as requested.
DNSCheck v.0.8.14
Checking No-Exist Redirector
Fake name: nsaaqadhshspwtvmtkja.com
192.168.2.1: NSLOOKUP.EXE reverse resolution failed. Failing over to local DNS.
Local DNS (DNSAPI) error: Fails to reverse resolve. -- WARNING!
No records found for given DNS query.
2: NSLOOKUP.EXE reverse resolution failed. Failing over to local DNS.
Local DNS (DNSAPI) error: Fails to reverse resolve. -- WARNING!
No records found for given DNS query.
Checking site: google.com
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox]
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"{609E0751-889D-402A-B225-DBA0ACE20764}"="C:\\Documents and Settings\\Allen\\Local Settings\\Application Data\\{609E0751-889D-402A-B225-DBA0ACE20764}"
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\\Program Files\\AVG\\AVG8\\Firefox"
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\\Program Files\\AVG\\AVG8\\ToolbarFF"
DirLook.exe v2.0 by jpshortstuff
Log created at 19:42 on 10/12/2008
==================================
Contents of "c:\documents and settings\Allen\Local Settings\Application Data"
---FOLDERS---
Adobe (Created on 11/12/2006 at 00:58) d-----
AOL (Created on 11/08/2008 at 04:52) d-----
AOL OCP (Created on 11/08/2008 at 04:52) d-----
ApplicationHistory (Created on 18/11/2006 at 02:10) d-----
ATI (Created on 18/11/2006 at 02:10) d-----
BVRP Software (Created on 18/11/2006 at 02:10) d-----
Freelancer (Created on 15/01/2007 at 00:25) d-----
Gearbox Software (Created on 26/07/2008 at 21:41) d-----
Google (Created on 18/11/2006 at 02:10) d-----
Help (Created on 09/01/2007 at 04:33) d-----
Identities (Created on 13/02/2007 at 07:45) d-----
Microsoft (Created on 18/11/2006 at 02:10) d-----
Mozilla (Created on 18/11/2006 at 03:32) d-----
My Games (Created on 05/02/2007 at 19:45) d-----
PCHealth (Created on 14/03/2008 at 06:11) d-----
The Weather Channel (Created on 21/08/2007 at 01:25) d-----
World in Conflict (Created on 01/07/2008 at 23:41) d-----
World in Conflict - DEMO (Created on 01/05/2008 at 23:09) d-----
Yahoo (Created on 18/11/2006 at 02:10) d-----
{3248F0A6-6813-11D6-A77B-00B0D0150060} (Created on 18/11/2006 at 02:10) d-----
{609E0751-889D-402A-B225-DBA0ACE20764} (Created on 04/12/2008 at 00:48) d-----
---FILES---
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini (50688 bytes - created on 25/12/2006 at 22:31, modified on 30/11/2008 at 01:56) --a---
fusioncache.dat (128 bytes - created on 18/11/2006 at 02:10, modified on 18/11/2006 at 02:10) --a---
GDIPFONTCACHEV1.DAT (69672 bytes - created on 18/11/2006 at 13:51, modified on 04/08/2008 at 22:24) --a---
IconCache.db (2112996 bytes - created on 27/05/2008 at 07:57, modified on 27/05/2008 at 07:57) --ah--
==================================
=EOF=
Do a windows search and delete this
nsaaqadhshspwtvmtkja.com
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"{609E0751-889D-402A-B225-DBA0ACE20764}"=-
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
If you saved the file correctly it should look like this http://i24.photobucket.com/albums/c30/ken545/reg.jpg
I did a Windows search but nothing came up.
Next Go start> Run type cmd and hit OK
Type in ipconfig /flushdns then hit enter
(that space between g and / is needed)
Type exit hit enter
Ok, did exactly as you told me at the command prompt. I did another search but still no results.
Did cleaning out the DNS cache help any. I see no mention of Goored in any of the programs or scans we have run.
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
I cleared the DNS cache and did another search on my C drive but nsaaqadhshspwtvmtkja.com didn't show up, even with search hidden files and archives ticked in the checkboxes. I downloaded and ran RSIT but only opened log.txt
Logfile of random's system information tool 1.04 (written by random/random)
Run by Allen at 2008-12-10 22:26:55
Microsoft Windows XP Professional Service Pack 3
System drive C: has 23 GB (32%) free of 71 GB
Total RAM: 2046 MB (65% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:10 PM, on 12/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Allen\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\Allen.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Dell Control Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
--
End of file - 7567 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1208991377.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-12-03 2055960]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-09-29 67584]
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe [2005-10-05 94208]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2006-08-15 282624]
"ATICCC"=C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [2006-01-02 45056]
"DLA"=C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2005-09-08 122940]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-07-27 81920]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-11-15 98304]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-04-21 185896]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-12-03 1261336]
"@OnlineArmor GUI"=C:\Program Files\Tall Emu\Online Armor\oaui.exe [2008-11-26 6223048]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"=C:\Program Files\Dell Support\DSAgnt.exe [2006-07-16 389120]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Dell Control Utility.lnk - C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"=C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2008-11-26 886984]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Microsoft Games\Age of Empires III - The WarChiefs Trial\age3x.exe"="C:\Program Files\Microsoft Games\Age of Empires III - The WarChiefs Trial\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs Trial"
"C:\Program Files\Xfire\xfire.exe"="C:\Program Files\Xfire\xfire.exe:*:Enabled:Xfire"
"C:\Program Files\Sierra\SWAT 4\Content\System\Swat4.exe"="C:\Program Files\Sierra\SWAT 4\Content\System\Swat4.exe:*:Enabled:SWAT 4"
"C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe"="C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\Program Files\Microsoft Games\Halo\halo.exe"="C:\Program Files\Microsoft Games\Halo\halo.exe:*:Enabled:Halo"
"C:\Program Files\Rockstar Games\Midnight Club 2\mc2.exe"="C:\Program Files\Rockstar Games\Midnight Club 2\mc2.exe:*:Enabled:mc2"
"C:\Program Files\Microsoft Games\Freelancer\EXE\Freelancer.exe"="C:\Program Files\Microsoft Games\Freelancer\EXE\Freelancer.exe:*:Enabled:Freelancer"
"C:\Program Files\Sierra\SWAT 4\ContentExpansion\System\Swat4X.exe"="C:\Program Files\Sierra\SWAT 4\ContentExpansion\System\Swat4X.exe:*:Enabled:SWAT 4 - The Stetchkov Syndicate"
"C:\Program Files\Sierra\SWAT 4\ContentExpansion\System\Swat4XDedicatedServer.exe"="C:\Program Files\Sierra\SWAT 4\ContentExpansion\System\Swat4XDedicatedServer.exe:*:Enabled:SWAT 4 - The Stetchkov Syndicate Dedicated Server"
"C:\Program Files\WizardWorks\911 - First Responders\Em4.exe"="C:\Program Files\WizardWorks\911 - First Responders\Em4.exe:*:Enabled:Em4"
"C:\Program Files\Sierra Entertainment\World in Conflict\wic.exe"="C:\Program Files\Sierra Entertainment\World in Conflict\wic.exe:*:Enabled:World in Conflict"
"C:\Program Files\Sierra Entertainment\World in Conflict\wic_online.exe"="C:\Program Files\Sierra Entertainment\World in Conflict\wic_online.exe:*:Enabled:World in Conflict - Online Only"
"C:\Program Files\Sierra Entertainment\World in Conflict\wic_ds.exe"="C:\Program Files\Sierra Entertainment\World in Conflict\wic_ds.exe:*:Enabled:World in Conflict - Dedicated Server"
"C:\Program Files\EA Games\James Bond 007 Nightfire\Bond.exe"="C:\Program Files\EA Games\James Bond 007 Nightfire\Bond.exe:*:Enabled:Bond"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Ubisoft\Silent Hunter Wolves of the Pacific\gu.exe"="C:\Program Files\Ubisoft\Silent Hunter Wolves of the Pacific\gu.exe:*:Enabled:Run Silent Hunter Wolves of the Pacific"
"C:\Program Files\Ubisoft\Silent Hunter Wolves of the Pacific\sh4.exe"="C:\Program Files\Ubisoft\Silent Hunter Wolves of the Pacific\sh4.exe:*:Enabled:Silent Hunter IV"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
shell\AutoRun\command - E:\setup.exe
======List of files/folders created in the last 1 months======
2008-12-10 19:42:03 ----A---- C:\DirLook.txt
2008-12-09 20:48:51 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-09 20:48:06 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-09 20:48:01 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-09 20:47:52 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-09 20:11:19 ----D---- C:\HostsXpert
2008-12-09 19:18:54 ----D---- C:\Documents and Settings\Allen\Application Data\Mozilla
2008-12-09 19:12:58 ----D---- C:\Program Files\Mozilla Firefox
2008-12-09 13:44:34 ----D---- C:\rsit
2008-12-09 00:51:42 ----D---- C:\WINDOWS\pss
2008-12-07 22:41:56 ----SHD---- C:\RECYCLER
2008-12-07 00:06:57 ----D---- C:\WINDOWS\temp
2008-12-07 00:06:54 ----A---- C:\ComboFix.txt
2008-12-06 16:11:46 ----A---- C:\Boot.bak
2008-12-06 16:11:16 ----RASHD---- C:\cmdcons
2008-12-06 16:08:02 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-06 16:07:55 ----D---- C:\WINDOWS\ERDNT
2008-12-06 15:12:26 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-05 21:44:08 ----D---- C:\Program Files\Trend Micro
2008-12-04 22:30:24 ----D---- C:\Program Files\SpywareBlaster
2008-12-04 16:41:04 ----D---- C:\Documents and Settings\Allen\Application Data\Malwarebytes
2008-12-04 16:40:53 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-04 16:40:52 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-03 22:51:07 ----D---- C:\Documents and Settings\Allen\Application Data\OnlineArmor
2008-12-03 22:51:07 ----D---- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-12-03 22:50:35 ----D---- C:\Program Files\Tall Emu
2008-12-03 20:39:22 ----HD---- C:\$AVG8.VAULT$
2008-12-03 20:34:26 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-12-03 20:34:19 ----D---- C:\Documents and Settings\Allen\Application Data\AVGTOOLBAR
2008-12-03 20:34:00 ----D---- C:\Program Files\AVG
2008-12-03 20:34:00 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-12-03 19:48:32 ----A---- C:\WINDOWS\ijibanovekegubix.dll
2008-12-03 19:01:11 ----D---- C:\WINDOWS\Minidump
2008-12-03 18:44:22 ----A---- C:\WINDOWS\system32\4b8e9747-.txt
2008-11-27 13:25:14 ----D---- C:\Program Files\Common Files\Motorola Shared
2008-11-27 13:25:02 ----D---- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-11-20 15:44:26 ----A---- C:\WINDOWS\system32\xfcodec.dll
2008-11-12 01:40:04 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 01:39:59 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 01:39:51 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
======List of files/folders modified in the last 1 months======
2008-12-10 22:21:50 ----D---- C:\Documents and Settings\Allen\Application Data\Xfire
2008-12-10 22:11:48 ----D---- C:\WINDOWS\Prefetch
2008-12-10 20:37:02 ----A---- C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt
2008-12-10 19:35:04 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-10 19:33:21 ----D---- C:\WINDOWS
2008-12-10 19:31:27 ----D---- C:\WINDOWS\Registration
2008-12-10 01:58:03 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-09 21:11:35 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-12-09 20:56:28 ----D---- C:\WINDOWS\system32
2008-12-09 20:48:54 ----HD---- C:\WINDOWS\inf
2008-12-09 20:48:38 ----A---- C:\WINDOWS\imsins.BAK
2008-12-09 20:48:32 ----SHD---- C:\WINDOWS\system32\dllcache
2008-12-09 20:48:29 ----D---- C:\Program Files\Internet Explorer
2008-12-09 20:48:13 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-09 19:12:58 ----D---- C:\Program Files
2008-12-09 18:24:37 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-09 12:23:50 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-09 12:20:19 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-09 00:35:53 ----A---- C:\WINDOWS\system32\CmdLineExt03.dll
2008-12-08 22:39:46 ----D---- C:\WINDOWS\system32\Restore
2008-12-08 22:39:45 ----SHD---- C:\System Volume Information
2008-12-08 21:06:58 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-07 00:07:37 ----D---- C:\WINDOWS\system32\drivers
2008-12-07 00:01:17 ----A---- C:\WINDOWS\system.ini
2008-12-06 23:58:49 ----D---- C:\WINDOWS\system32\config
2008-12-06 23:56:17 ----D---- C:\WINDOWS\AppPatch
2008-12-06 23:56:17 ----D---- C:\Program Files\Common Files
2008-12-06 23:40:46 ----SD---- C:\WINDOWS\Tasks
2008-12-06 16:11:46 ----RASH---- C:\boot.ini
2008-12-04 21:09:05 ----SHD---- C:\WINDOWS\Installer
2008-12-03 23:55:06 ----SD---- C:\Program Files\Xfire
2008-12-03 20:33:47 ----D---- C:\WINDOWS\WinSxS
2008-12-03 20:33:47 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-12-03 20:30:25 ----SD---- C:\Documents and Settings\Allen\Application Data\Microsoft
2008-12-03 19:31:24 ----A---- C:\WINDOWS\wininit.ini
2008-11-28 19:19:17 ----D---- C:\Program Files\SmileyPad
2008-11-27 13:31:13 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-11-22 20:10:17 ----D---- C:\Documents and Settings\Allen\Application Data\Hamachi
2008-11-22 14:05:32 ----D---- C:\WINDOWS\Help
2008-11-20 19:27:01 ----D---- C:\Documents and Settings\Allen\Application Data\teamspeak2
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-06-18 36864]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-12-03 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-12-03 26824]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 OADevice;OADriver; \??\C:\WINDOWS\system32\drivers\OADriver.sys []
R1 OAmon;OAmon; \??\C:\WINDOWS\system32\drivers\OAmon.sys []
R1 OAnet;OAnet; \??\C:\WINDOWS\system32\drivers\OAnet.sys []
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-12-03 76040]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-09-08 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-09-08 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-09-08 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-09-08 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-09-08 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-09-08 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-09-08 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-06-07 1580544]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2006-08-14 44544]
R3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2008-04-15 25280]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
R3 IPFilter;Microsoft IntelliPoint Features driver; C:\WINDOWS\system32\DRIVERS\IPFilter.sys [2002-04-11 11136]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2006-08-15 1171464]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 DSproct;DSproct; \??\C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys []
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-03-09 51024]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-03-09 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2003-03-09 21456]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 motccgp;Motorola USB Composite Device Driver; C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
S3 motccgpfl;MotCcgpFlService; C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
S3 MotoSwitchService;MotoSwitch Service; C:\WINDOWS\system32\DRIVERS\motswch.sys [2007-11-02 6400]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-06-07 409600]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-12-03 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R2 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe [2005-06-02 86606]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2005-12-15 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 OAcat;Online Armor Helper Service; C:\Program Files\Tall Emu\Online Armor\oacat.exe [2008-11-26 1402568]
R2 SvcOnlineArmor;Online Armor; C:\Program Files\Tall Emu\Online Armor\oasrv.exe [2008-11-26 3321032]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2003-03-09 65795]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe []
-----------------EOF-----------------
Sorry for double posting but I've discovered the redirect problem is gone in Internet Explorer. I think it is Firefox that is having this problem.
Good Morning,
C:\WINDOWS\ijibanovekegubix.dll <-- Delete this file
Open Firefox and go to Tools> Clear Private Data, put a checkmark in everything and click on Clear Private Data Now
Go to Tools> Options> Application Tab, do you see anything out of the ordinary in there.
If that didn't help what about this.
Did you completely uninstall Firefox ?
Mozilla Firefox <---Did you delete this folder ??
You need to to that so that there is no trace of Firefox on your system, then reboot and reinstall it
http://www.mozilla.com/en-US/firefox/
If your still having this issue than I am going to have someone else look at this as I am out of ideas
Ken:)
Good morning.
Ok, I found and deleted the file you indicated in C:\Windows and now it's gone.
I uninstalled Firefox and deleted the Mozilla Firefox folder in C:\Program files. I did a Windows search and found additional folders with the title Mozilla. Those I deleted as well. Then I rebooted and reinstalled Firefox. I did a web search on Google and Yahoo. I still got redirected by goored in Google and Yahoo led me elsewhere. Internet Explorer is still unaffected by this, so I guess I'll do my web searches there for the time being.
Still, I appreciate the ideas you're giving to help me. Thanks. :)
Look for and delete this file, it may be in C:\windows or C:\windows\system32
f52c75cc.dll
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"99452efa"=-
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
If you saved the file correctly it should look like this http://i24.photobucket.com/albums/c30/ken545/reg.jpg
I did a search and nothing was found. Did a search in My Computer and drive C, nothing found.
I merged the reg file and I tried the search again in Firefox. Still no effect. I didn't reboot when the reg file was merged. Is a reboot needed?
Go ahead and reboot and then try Firefox, I am going to have someone else take a peak at this
Did a reboot. Still redirecting in Firefox. Hmm, this thing is pretty stubborn.
Lets try bypassing your router, just plug your lan cable directly into your computer and see if your still getting redirected, if not then you need to reset your router.
If you have not bypassed your router yet, delete this file first and see if it makes a difference. Have a few people looking in on this one.
C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
Hello,
It appears this is a new infection and the great people in the Malware Removal Community are coming up with a fix.
Please download GooredFix (http://jpshortstuff.247fixes.com/GooredFix.exe) and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
Hi. I pushed the reset button on my router and I tried to find the file you specified. Windows search found nothing. After the router reset I did the same search, got redirected by goored. Log as requested.
GooredFix v1.3 by jpshortstuff
Log created at 20:56 on 12/12/2008 running Option #1
=====Suspect Goored Entries=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{609E0751-889D-402A-B225-DBA0ACE20764}"="C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}"
tif0o28q.default: Extension0=C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
=====List of possible loading points=====
tif0o28q.default: Extension2=C:\Program Files\AVG\AVG8\ToolbarFF
tif0o28q.default: Extension1=C:\Program Files\AVG\AVG8\Firefox
tif0o28q.default: Extension0=C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
=====List of possible folders=====
C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
C:\Documents and Settings\Allen\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
=====List of possible registry values=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{609E0751-889D-402A-B225-DBA0ACE20764}"="C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}"
Hang in, where almost there, now we know its not your router. I notified JP Shortstuff about your reply, I want him to look this over so he can add it to his Gooredfix tool. Be back in the am, been a looooooooog day :)
Ah, good to know. Been a long day for me as well. Thanks. :)
Lets go ahead and run Option 2
Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
Then use Firefox and see if the redirect is gone, do some searches and make sure all is well.
It worked. I've done multiple searches in Google and Yahoo and the redirects are gone. Give my thanks to jpshortstuff. There are some tools and files downloaded to my desktop which are RSIT, DNSCheck, RegQuery, DirLook, Regfix.reg. Could you tell me which ones I don't need? Thanks, Ken. :)
GooredFix v1.3 by jpshortstuff
Log created at 12:19 on 14/12/2008 running Option #2
=====Goored Deletions=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{609E0751-889D-402A-B225-DBA0ACE20764}"="C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}"
->Deleting value... Done.
tif0o28q.default: Extension0=C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
->Removing loadpoint... Done.
C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
->Emptying folder... Done.
->Deleting folder... Done.
=====List of possible loading points=====
tif0o28q.default: Extension2=C:\Program Files\AVG\AVG8\ToolbarFF
tif0o28q.default: Extension1=C:\Program Files\AVG\AVG8\Firefox
=====List of possible folders=====
C:\Documents and Settings\Allen\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
=====List of possible registry values=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"
Thats great, now I can go have that cold one I have been wanting :lip:
You can drag any of the tools we used to the trash, I previously posted about how to remove Combofix and a list of tools to install, read through that and install those tools to help keep you more secure.
I would like to ask you to do this for us please, its totally voluntary but with Goordfix being new, JPShortstuff is looking for any information he can get to improve this fix. Would you mind uploading your Firefox profile to him.
Go to My Computer> C:Drive > Program Files > Mozilla Firefox > Defaults > Profile and open your Profile Folder, then click on Edit....Select All and then go to File > Send To > Compressed Zip Folder. (If you have WinZip installed if will be different )
Save the folder anywhere you can find it
Then go to
http://www.thespykiller.co.uk/
and towards the bottom of the page in the forums ( you need not registry if you do not want to ) look for the Uploads forum, start a new topic . Name the topic FOR JPSHORTSTUFF and put the link to this thread in the reply
http://forums.spybot.info/showthread.php?t=40901
Then use the Browse feature and browse to where you saved the Zipped file and upload it.
Thanks,
Take Care,
Ken
I will keep and eye out for you next time I am traveling across the Cross Bronx Expressway :)
Ah, ok. I'll keep the tools that you recommended I can keep. :)
Sure, no problem. I'd be happy to help jpshortstuff. I uploaded the zip file of my Firefox profile folder to thespykiller.
Thanks, Ken. Perhaps I'll see you on the Cross Bronx. :)
Hi,
JPShortstuff got your upload but it did not contain the info he wanted, we may have done it wrong, hate to bother you can you do it again, he said to do it this way.
Please navigate to:
c:\documents and settings\*your name*\Application Data\Mozilla\Firefox\Profiles
Then, right-click on "tif0o28q.default" and select "Send To" >> "Compressed (zipped) folder" to create a .zip of the whole folder. The file should be called something like tif0o28q.default.zip, please upload that to spykillers as before.
Thanks.
Ah, ok. It's not a problem. I uploaded the file as asked. I hope he finds what he's looking for. :)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.