View Full Version : Spybot & certain websites blocked, browser redirects
151Henry151
2009-05-27, 23:45
Running a Dell Inspiron 6000 with windows XP SP2 and using Google Chrome as a browser.
Spybot won't open unless I copy the installation folder, rename it, and rename the EXE. Found 16 malware items, removed them all, still have the same problem. Certain websites like the homepage of Spybot S&D and several other malware removal sites are blocked. I get random redirects when clicking on results from any google searches, most of them sending me to penis enlargement sites and porn sites. Computer running slightly slower than usual.
Thanks for any help in advance.
Hijackthis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:25 PM, on 5/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Intel\Wireless\Bin\EvtEng.exe
E:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
E:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
E:\Program Files\FolderSize\FolderSizeSvc.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Google\Update\GoogleUpdate.exe
E:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
E:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\hkcmd.exe
E:\WINDOWS\system32\igfxpers.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Skype\Phone\Skype.exe
E:\Windows\Config\WINDLL~1.exe
E:\Program Files\MagicDisc\MagicDisc.exe
E:\Program Files\TabsLock\tabslock.exe
E:\Program Files\OpenOffice.org 3\program\soffice.exe
E:\Program Files\OpenOffice.org 3\program\soffice.bin
E:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Program Files\Skype\Plugin Manager\skypePM.exe
E:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Winamp\winamp.exe
E:\WINDOWS\System32\svchost.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MP10_EnsureFileVer] E:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [IntelZeroConfig] "E:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "E:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows*Updates] c:\windows\system\Update.exe
O4 - HKLM\..\Run: [igfxtray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] E:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Windows*Updates] c:\windows\system\Update.exe
O4 - HKCU\..\Run: [WINDLL~1.exe] E:\Windows\Config\WINDLL~1.exe
O4 - Startup: MagicDisc.lnk = E:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OpenOffice.org 3.0.lnk = E:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: santa.bat
O4 - Startup: TabsLock.lnk = E:\Program Files\TabsLock\tabslock.exe
O4 - Startup: VZAccess Manager.lnk.disabled
O4 - Global Startup: Desktop Manager.lnk.disabled
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://E:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B578110-D8AE-42BC-A5A5-FEFEB4C635D9}: NameServer = 85.255.112.70,85.255.112.127
O17 - HKLM\System\CCS\Services\Tcpip\..\{52F65B3F-52BD-488C-8708-FDC656C0836B}: NameServer = 85.255.112.70,85.255.112.127
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.70,85.255.112.127
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.70,85.255.112.127
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.70,85.255.112.127
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: C-DillaSrv - C-Dilla Ltd - E:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Folder Size (FolderSize) - Brio - E:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Update Service (gupdate1c99bb882e1fe0a) (gupdate1c99bb882e1fe0a) - Google Inc. - E:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - E:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 7059 bytes
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
151Henry151
2009-05-29, 14:34
DDS (Ver_09-05-14.01) - NTFSx86
Run by Romp at 14:31:39.57 on Fri 05/29/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.361 [GMT 2:00]
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
============== Running Processes ===============
E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
E:\Program Files\Intel\Wireless\Bin\EvtEng.exe
E:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
E:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
E:\Program Files\Tall Emu\Online Armor\OAcat.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\FolderSize\FolderSizeSvc.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Google\Update\GoogleUpdate.exe
E:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
E:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\igfxpers.exe
E:\Program Files\Tall Emu\Online Armor\oaui.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Tall Emu\Online Armor\OAhlp.exe
E:\Program Files\Skype\Phone\Skype.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\TabsLock\tabslock.exe
E:\Program Files\OpenOffice.org 3\program\soffice.exe
E:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
E:\Program Files\OpenOffice.org 3\program\soffice.bin
E:\Program Files\Skype\Plugin Manager\skypePM.exe
E:\Program Files\Winamp\winamp.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\Program Files\Tall Emu\Online Armor\oasrv.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Romp\My Documents\Downloads\utorrent.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Romp\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - e:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "e:\documents and settings\romp\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "e:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] e:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Skype] "e:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [Windows*Updates] c:\windows\system\Update.exe
uRun: [WINDLL~1.exe] e:\windows\config\WINDLL~1.exe
mRun: [QuickTime Task] "e:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MP10_EnsureFileVer] e:\windows\inf\unregmp2.exe /EnsureFileVersions
mRun: [IntelZeroConfig] "e:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "e:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SunJavaUpdateSched] "e:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Windows*Updates] c:\windows\system\Update.exe
mRun: [igfxtray] e:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] e:\windows\system32\hkcmd.exe
mRun: [igfxpers] e:\windows\system32\igfxpers.exe
mRun: [@OnlineArmor GUI] "e:\program files\tall emu\online armor\oaui.exe"
StartupFolder: e:\docume~1\romp\startm~1\programs\startup\magicd~1.lnk - e:\program files\magicdisc\MagicDisc.exe
StartupFolder: e:\docume~1\romp\startm~1\programs\startup\openof~1.lnk - e:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: e:\documents and settings\romp\start menu\programs\startup\santa.bat
StartupFolder: e:\docume~1\romp\startm~1\programs\startup\tabslock.lnk - e:\program files\tabslock\tabslock.exe
StartupFolder: e:\documents and settings\romp\start menu\programs\startup\VZAccess Manager.lnk.disabled
StartupFolder: e:\documents and settings\all users\start menu\programs\startup\Desktop Manager.lnk.disabled
IE: Add to Google Photos Screensa&ver - e:\windows\system32\GPhotos.scr/200
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - hxxp://launch.gamespyarcade.com/software/launch/alaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {3B578110-D8AE-42BC-A5A5-FEFEB4C635D9} = 208.67.220.220,208.67.222.222
TCP: {52F65B3F-52BD-488C-8708-FDC656C0836B} = 208.67.220.220,208.67.222.222
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - e:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - e:\progra~1\tallem~1\online~1\oaevent.dll
============= SERVICES / DRIVERS ===============
R1 OADevice;OADriver;e:\windows\system32\drivers\OADriver.sys [2009-5-28 198224]
R1 OAmon;OAmon;e:\windows\system32\drivers\OAmon.sys [2009-5-28 31824]
R1 OAnet;OAnet;e:\windows\system32\drivers\OAnet.sys [2009-5-28 29776]
R2 OAcat;Online Armor Helper Service;e:\program files\tall emu\online armor\oacat.exe [2009-5-28 361672]
R2 SvcOnlineArmor;Online Armor;e:\program files\tall emu\online armor\oasrv.exe [2009-5-28 3052744]
S2 gupdate1c99bb882e1fe0a;Google Update Service (gupdate1c99bb882e1fe0a);e:\program files\google\update\GoogleUpdate.exe [2009-3-3 133104]
============== File Associations ===============
regfile="regedit.exe" "%1"
=============== Created Last 30 ================
2009-05-29 02:57 <DIR> --d-h--- e:\windows\PIF
2009-05-28 00:15 <DIR> --d----- e:\docume~1\romp\applic~1\OnlineArmor
2009-05-28 00:15 <DIR> --d----- e:\docume~1\alluse~1\applic~1\OnlineArmor
2009-05-28 00:15 198,224 a------- e:\windows\system32\drivers\OADriver.sys
2009-05-28 00:15 31,824 a------- e:\windows\system32\drivers\OAmon.sys
2009-05-28 00:15 29,776 a------- e:\windows\system32\drivers\OAnet.sys
2009-05-28 00:15 <DIR> --d----- e:\program files\Tall Emu
2009-05-27 22:44 <DIR> --d----- e:\program files\Trend Micro
2009-05-27 22:14 <DIR> --d----- e:\program files\testing
2009-05-27 22:13 <DIR> --d----- e:\program files\Copy of Spybot - Search & Destroy
2009-05-18 21:40 139,264 a------- e:\windows\system32\igfxres.dll
2009-05-18 02:51 <DIR> --d----- e:\program files\GameSpy Arcade
2009-05-18 02:49 <DIR> --d----- e:\program files\EA GAMES
2009-05-18 00:57 <DIR> --d----- e:\program files\Codemasters
2009-05-17 21:17 <DIR> --d----- e:\program files\ASIO4ALL v2
2009-05-15 23:09 900,015 a------- e:\windows\system32\TmpA41508625
2009-05-15 22:18 1,777,664 a------- e:\windows\system32\gdiplus.dll
2009-05-15 22:08 <DIR> --d----- e:\program files\VstPlugins
2009-05-15 22:08 1,294,336 a------- e:\windows\system32\vorbis.acm
2009-05-15 22:08 <DIR> --d----- e:\program files\Outsim
2009-05-15 22:05 <DIR> --d----- e:\program files\Image-Line
2009-05-14 14:10 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Blizzard
2009-05-13 01:05 <DIR> --d-h--- E:\C_DILLA
2009-05-13 01:05 260,096 a------- e:\windows\CDILLA32.DLL
2009-05-13 01:05 63,344 a------- e:\windows\CDILLA05.DLL
2009-05-13 01:05 57,392 a------- e:\windows\system32\drivers\CDANT.SYS
2009-05-13 01:05 55,376 a------- e:\windows\CDILLA40.DLL
2009-05-13 01:05 45,056 a------- e:\windows\CDILLA13.DLL
2009-05-13 01:05 32,256 a------- e:\windows\system32\drivers\CDANTSRV.EXE
2009-05-13 01:05 23,856 a------- e:\windows\CDILLA10.EXE
2009-05-13 01:05 7,056 a------- e:\windows\CDILLA16.EXE
2009-05-13 01:05 212,480 a------- e:\windows\system32\PCDLIB32.DLL
2009-05-13 01:05 77,312 a------- e:\windows\system32\TWAIN_32.DLL
2009-05-09 11:10 <DIR> --d----- e:\docume~1\romp\applic~1\Copy of Winamp
==================== Find3M ====================
2009-04-24 23:44 12,400 a------- e:\windows\system32\drivers\secdrv.sys
2009-04-20 01:49 17,724 a---h--- e:\windows\system32\mlfcache.dat
2009-04-15 23:29 3,366,912 a------- e:\windows\system32\GPhotos.scr
2009-03-22 06:33 410,984 a------- e:\windows\system32\deploytk.dll
2009-01-28 06:35 256 ac------ e:\documents and settings\romp\pool.bin
============= FINISH: 14:32:59.26 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-05-14.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/4/2009 1:57:13 AM
System Uptime: 5/28/2009 2:33:54 AM (36 hours ago)
Motherboard: Dell Inc. | | 0W9260
Processor: Intel(R) Pentium(R) M processor 1.60GHz | Microprocessor | 1596/133mhz
==== Disk Partitions =========================
D: is CDROM ()
E: is FIXED (NTFS) - 37 GiB total, 2.884 GiB free.
F: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP117: 4/26/2009 12:49:25 PM - Removed iTunes
RP118: 4/26/2009 9:54:13 PM - Removed Apple Mobile Device Support
RP119: 4/26/2009 11:54:59 PM - Installed SPORE™
RP120: 4/27/2009 12:05:42 AM - Installed SPORE™
RP121: 4/27/2009 12:14:36 AM - Installed SPORE™
RP122: 4/27/2009 12:33:12 AM - Installed SPORE™
RP123: 4/27/2009 12:47:08 AM - Removed SPORE™
RP124: 4/27/2009 12:51:06 AM - Installed SPORE™
RP125: 4/27/2009 1:16:17 AM - Installed Folder Size for Windows
RP126: 4/27/2009 1:23:50 AM - Installed SPORE™
RP127: 4/27/2009 9:07:11 PM - Removed SPORE™
RP128: 4/27/2009 9:07:59 PM - Installed SPORE™
RP129: 4/27/2009 9:12:46 PM - Installed DirectX 9.0
RP130: 4/29/2009 3:12:46 AM - System Checkpoint
RP131: 4/30/2009 3:49:55 AM - System Checkpoint
RP132: 5/1/2009 7:40:27 PM - System Checkpoint
RP133: 5/2/2009 8:04:07 PM - System Checkpoint
RP134: 5/2/2009 11:45:04 PM - Installed Pcsx2 0.9.6
RP135: 5/4/2009 1:39:27 AM - System Checkpoint
RP136: 5/5/2009 3:21:37 PM - System Checkpoint
RP137: 5/6/2009 4:29:32 PM - System Checkpoint
RP138: 5/7/2009 4:52:40 PM - System Checkpoint
RP139: 5/8/2009 7:11:11 PM - System Checkpoint
RP140: 5/8/2009 9:19:15 PM - Removed Pcsx2 0.9.6
RP141: 5/9/2009 11:22:50 PM - System Checkpoint
RP142: 5/11/2009 12:53:35 AM - System Checkpoint
RP143: 5/12/2009 1:14:47 AM - System Checkpoint
RP144: 5/13/2009 12:54:37 PM - System Checkpoint
RP145: 5/14/2009 3:30:08 PM - System Checkpoint
RP146: 5/17/2009 1:20:19 PM - Removed Google Earth.
RP147: 5/18/2009 2:51:39 AM - Installed Battlefield 1942
RP148: 5/18/2009 3:54:09 AM - Installed PunkBuster for Battlefield 1942
RP149: 5/18/2009 3:54:29 AM - Removed Battlefield 1942
RP150: 5/18/2009 3:56:56 AM - Installed Battlefield 1942
RP151: 5/26/2009 1:09:59 AM - System Checkpoint
RP152: 5/28/2009 3:29:08 AM - System Checkpoint
==== Installed Programs ======================
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.1
Altruist
Apple Software Update
ArtMoney SE v7.30.3
ASIO4ALL
BlackBerry® Media Sync
Broadcom 440x 10/100 Integrated Controller
C-Dilla Licence Management System
C-Major Audio
Collab
Conexant D110 MDC V.92 Modem
dBpoweramp Music Converter
FL Studio 7
Folder Size for Windows
GameSpy Arcade
Google Chrome
Google Earth
Google SketchUp Pro 7
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB926239)
IL Download Manager
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
Java(TM) 6 Update 12
KC Softwares AudioGrail
Magic ISO Maker v5.5 (build 0265)
MagicDisc 2.7.106
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 2.0
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 6.0 Parser (KB933579)
Music Collection 2.04.630
mWlsSafe
mWMI
mZConfig
Online Armor 3.5
OpenMG Jukebox
OpenMG Network Walkman(MS) Help
OpenMG Secure Module 3.0.03
OpenOffice.org 3.0
Picasa 3
QuickTime
REAPER
Skype™ 4.0
Sony USB Driver
SPORE™
Spybot - Search & Destroy
Switch Sound File Converter
TabsLock
twhirl
V CAST Music with Rhapsody
VZAccess Manager for RIM
WebFldrs XP
Winamp
Winamp Essentials Pack
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
WinRAR archiver
==== Event Viewer Messages From Past Week ========
5/28/2009 9:58:25 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 58 time(s).
5/28/2009 9:54:04 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 57 time(s).
5/28/2009 9:49:42 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 56 time(s).
5/28/2009 9:45:21 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 55 time(s).
5/28/2009 9:40:50 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 54 time(s).
5/28/2009 9:36:19 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 53 time(s).
5/28/2009 8:29:48 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 52 time(s).
5/28/2009 8:23:57 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 51 time(s).
5/28/2009 8:19:06 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 50 time(s).
5/28/2009 8:04:35 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 49 time(s).
5/28/2009 7:59:34 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 48 time(s).
5/28/2009 7:55:12 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 47 time(s).
5/28/2009 7:50:41 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 46 time(s).
5/28/2009 7:46:20 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 45 time(s).
5/28/2009 7:38:19 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 44 time(s).
5/28/2009 7:32:48 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 43 time(s).
5/28/2009 7:28:07 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 42 time(s).
5/28/2009 7:23:36 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 41 time(s).
5/28/2009 7:15:55 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 40 time(s).
5/28/2009 7:01:44 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 39 time(s).
5/28/2009 6:45:53 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 38 time(s).
5/28/2009 6:27:52 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 37 time(s).
5/28/2009 6:23:10 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 36 time(s).
5/28/2009 6:18:29 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 35 time(s).
5/28/2009 6:14:08 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 34 time(s).
5/28/2009 6:09:37 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 33 time(s).
5/28/2009 6:05:16 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 32 time(s).
5/28/2009 6:00:55 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 31 time(s).
5/28/2009 5:56:34 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 30 time(s).
5/28/2009 5:52:13 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 29 time(s).
5/28/2009 5:47:42 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 28 time(s).
5/28/2009 5:43:21 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 27 time(s).
5/28/2009 5:39:00 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 26 time(s).
5/28/2009 5:34:39 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 25 time(s).
5/28/2009 5:30:18 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 24 time(s).
5/28/2009 5:25:47 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 23 time(s).
5/28/2009 5:20:46 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 22 time(s).
5/28/2009 5:16:25 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 21 time(s).
5/28/2009 5:12:03 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 20 time(s).
5/28/2009 5:07:42 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 19 time(s).
5/28/2009 5:00:01 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 18 time(s).
5/28/2009 4:53:00 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 17 time(s).
5/28/2009 4:47:49 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 16 time(s).
5/28/2009 4:42:18 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 15 time(s).
5/28/2009 4:37:47 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 14 time(s).
5/28/2009 4:33:15 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 13 time(s).
5/28/2009 4:28:54 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 12 time(s).
5/28/2009 4:24:03 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 11 time(s).
5/28/2009 4:19:12 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 10 time(s).
5/28/2009 4:14:51 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 9 time(s).
5/28/2009 4:10:30 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 8 time(s).
5/28/2009 4:06:09 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 7 time(s).
5/28/2009 4:01:48 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 6 time(s).
5/28/2009 3:57:27 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 5 time(s).
5/28/2009 3:53:06 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 4 time(s).
5/28/2009 3:47:35 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 3 time(s).
5/28/2009 3:43:05 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 2 time(s).
5/28/2009 3:38:37 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 1 time(s).
5/28/2009 12:06:54 PM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 83 time(s).
5/28/2009 11:59:33 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 82 time(s).
5/28/2009 11:49:52 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 81 time(s).
5/28/2009 11:45:20 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 80 time(s).
5/28/2009 11:40:59 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 79 time(s).
5/28/2009 11:33:48 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 78 time(s).
5/28/2009 11:26:57 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 77 time(s).
5/28/2009 11:22:36 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 76 time(s).
5/28/2009 11:18:14 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 75 time(s).
5/28/2009 11:13:53 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 74 time(s).
5/28/2009 11:09:32 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 73 time(s).
5/28/2009 11:05:01 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 72 time(s).
5/28/2009 11:00:40 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 71 time(s).
5/28/2009 10:56:19 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 70 time(s).
5/28/2009 10:51:37 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 69 time(s).
5/28/2009 10:47:16 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 68 time(s).
5/28/2009 10:42:45 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 67 time(s).
5/28/2009 10:38:24 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 66 time(s).
5/28/2009 10:34:03 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 65 time(s).
5/28/2009 10:29:42 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 64 time(s).
5/28/2009 10:25:10 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 63 time(s).
5/28/2009 10:17:49 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 62 time(s).
5/28/2009 10:11:28 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 61 time(s).
5/28/2009 10:07:07 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 60 time(s).
5/28/2009 10:02:46 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 59 time(s).
5/27/2009 10:03:38 PM, error: Service Control Manager [7034] - The Folder Size service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:36 PM, error: Service Control Manager [7034] - The C-DillaSrv service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:21 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless SSO Service service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:18 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Service service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:13 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:03 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:01 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:02:56 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).
5/26/2009 5:18:56 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0012F0A33B4A. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
5/26/2009 5:17:26 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0012F0A33B4A. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
5/26/2009 4:29:52 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
==== End Of File ===========================
Thank you once again for your assistance.
Ok. Let's begin then :)
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds.txt log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
151Henry151
2009-05-30, 01:43
Ran combofix, it went smoothly but differed from the description in one regard--After completing all the stages, it said it would need to restart the computer, and did so. When it started back up, I logged in to windows, and a message appeared saying "....exe can not be found. Check the file name or path" or something to that effect. I should have written down the name of the exe and the exact words, but I didn't think to at the moment, I only remember that the name of the exe was a string of 5 or 6 letters, the first one being a C, but it wasn't Combofix.exe. I waited a while and combofix didn't appear, so I ran it again, it went through the stages and this time didn't ask me to restart, but provided me with this log:
ComboFix 09-05-29.01 - Romp 05/30/2009 1:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.578 [GMT 2:00]
Running from: e:\documents and settings\Romp\Desktop\ComboFix.exe
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_gxvxcserv.sys
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-29 )))))))))))))))))))))))))))))))
.
2009-05-29 00:57 . 2009-05-29 00:57 -------- d--h--w e:\windows\PIF
2009-05-27 22:15 . 2009-05-27 22:15 -------- d-----w e:\documents and settings\Romp\Application Data\OnlineArmor
2009-05-27 22:15 . 2009-05-27 22:15 -------- d-----w e:\documents and settings\All Users\Application Data\OnlineArmor
2009-05-27 22:15 . 2009-04-28 03:38 29776 ----a-w e:\windows\system32\drivers\OAnet.sys
2009-05-27 22:15 . 2009-04-28 03:02 31824 ----a-w e:\windows\system32\drivers\OAmon.sys
2009-05-27 22:15 . 2009-04-28 03:01 198224 ----a-w e:\windows\system32\drivers\OADriver.sys
2009-05-27 22:15 . 2009-05-27 22:15 -------- d-----w e:\program files\Tall Emu
2009-05-27 20:44 . 2009-05-27 20:44 -------- d-----w e:\program files\Trend Micro
2009-05-27 20:14 . 2009-05-27 20:14 -------- d-----w e:\program files\testing
2009-05-27 20:13 . 2009-05-27 20:13 -------- d-----w e:\program files\Copy of Spybot - Search & Destroy
2009-05-18 19:40 . 2006-06-07 01:05 139264 ----a-w e:\windows\system32\igfxres.dll
2009-05-18 00:51 . 2009-05-18 02:04 -------- d-----w e:\program files\GameSpy Arcade
2009-05-18 00:49 . 2009-05-18 00:51 -------- d-----w e:\program files\EA GAMES
2009-05-17 22:57 . 2009-05-17 22:57 -------- d-----w e:\program files\Codemasters
2009-05-17 19:17 . 2009-05-17 19:17 -------- d-----w e:\program files\ASIO4ALL v2
2009-05-15 20:18 . 2003-06-20 11:28 1777664 ----a-w e:\windows\system32\gdiplus.dll
2009-05-15 20:08 . 2009-05-17 19:17 -------- d-----w e:\program files\VstPlugins
2009-05-15 20:08 . 2009-05-15 20:08 -------- d-----w e:\program files\Outsim
2009-05-15 20:05 . 2009-05-17 19:17 -------- d-----w e:\program files\Image-Line
2009-05-14 12:10 . 2009-05-14 12:10 -------- d-----w e:\documents and settings\All Users\Application Data\Blizzard
2009-05-12 23:05 . 2009-05-12 23:05 -------- d--h--w E:\C_DILLA
2009-05-12 23:05 . 2001-09-10 17:09 57392 ----a-w e:\windows\system32\drivers\CDANT.SYS
2009-05-12 23:05 . 2001-09-10 17:09 45056 ----a-w e:\windows\CDILLA13.DLL
2009-05-12 23:05 . 2001-09-10 17:09 260096 ----a-w e:\windows\CDILLA32.DLL
2009-05-12 23:05 . 2001-09-10 17:08 32256 ----a-w e:\windows\system32\drivers\CDANTSRV.EXE
2009-05-12 23:05 . 2001-09-10 17:04 7056 ----a-w e:\windows\CDILLA16.EXE
2009-05-12 23:05 . 2001-09-10 17:04 23856 ----a-w e:\windows\CDILLA10.EXE
2009-05-12 23:05 . 2001-09-10 17:04 63344 ----a-w e:\windows\CDILLA05.DLL
2009-05-12 23:05 . 2001-09-10 15:38 55376 ----a-w e:\windows\CDILLA40.DLL
2009-05-12 23:05 . 1996-06-30 22:00 77312 ----a-w e:\windows\system32\TWAIN_32.DLL
2009-05-12 23:05 . 1995-07-31 11:44 212480 ----a-w e:\windows\system32\PCDLIB32.DLL
2009-05-09 09:10 . 2009-05-09 09:10 -------- d-----w e:\documents and settings\Romp\Application Data\Copy of Winamp
2009-05-09 09:04 . 2009-05-09 09:05 -------- d-----w e:\program files\Winamp
2009-05-02 07:01 . 2009-05-02 07:01 -------- d-----w e:\documents and settings\NetworkService\Local Settings\Application Data\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-29 23:30 . 2009-04-11 18:00 -------- d-----w e:\documents and settings\Romp\Application Data\Skype
2009-05-29 23:25 . 2009-04-11 18:41 -------- d-----w e:\documents and settings\Romp\Application Data\skypePM
2009-05-29 16:17 . 2009-02-27 22:38 -------- d-----w e:\documents and settings\Romp\Application Data\uTorrent
2009-05-29 13:52 . 2009-01-20 06:06 -------- d-----w e:\program files\REAPER
2009-05-29 03:37 . 2009-03-03 04:26 -------- d-----w e:\documents and settings\All Users\Application Data\Google Updater
2009-05-27 21:00 . 2009-02-26 19:38 -------- d-----w e:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-27 20:14 . 2009-02-26 19:38 -------- d-----w e:\program files\Spybot - Search & Destroy
2009-05-27 17:00 . 2009-03-03 04:26 -------- d-----w e:\program files\Google
2009-05-26 14:31 . 2009-03-08 11:56 1 ----a-w e:\documents and settings\Romp\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-25 23:10 . 2009-01-06 04:05 -------- d--h--w e:\program files\InstallShield Installation Information
2009-05-18 02:04 . 2009-04-24 21:32 738 ----a-w e:\windows\eReg.dat
2009-05-14 17:33 . 2009-04-23 22:00 -------- d-----w e:\program files\My Tribe
2009-05-09 09:13 . 2009-02-26 19:52 -------- d-----w e:\documents and settings\Romp\Application Data\Winamp
2009-04-27 19:13 . 2009-04-27 19:13 -------- d-----w e:\documents and settings\Romp\Application Data\SPORE
2009-04-27 00:21 . 2009-04-27 00:21 386560 ----a-w e:\documents and settings\Romp\Application Data\Free-backup.info\JustZIPit\JustZIPit.exe
2009-04-27 00:21 . 2009-04-27 00:21 -------- d-----w e:\documents and settings\Romp\Application Data\Free-backup.info
2009-04-26 23:16 . 2009-04-26 23:16 -------- d-----w e:\program files\FolderSize
2009-04-26 21:41 . 2009-04-26 21:41 -------- d-----w e:\program files\MagicDisc
2009-04-26 19:53 . 2009-04-24 18:34 -------- d-----w e:\program files\DebugMode
2009-04-26 10:50 . 2009-01-04 02:18 -------- d-----w e:\program files\Numark Cue
2009-04-26 10:46 . 2009-01-28 04:31 -------- d-----w e:\documents and settings\Romp\Application Data\Research In Motion
2009-04-26 10:46 . 2009-01-28 03:34 -------- d-----w e:\program files\Research In Motion
2009-04-26 10:46 . 2009-01-28 03:34 -------- d-----w e:\program files\Common Files\Research In Motion
2009-04-25 21:55 . 2009-04-25 17:19 -------- d-----w e:\program files\ArtMoney
2009-04-24 21:44 . 2004-08-12 14:04 12400 ----a-w e:\windows\system32\drivers\secdrv.sys
2009-04-24 21:31 . 2009-04-24 21:31 -------- d-----w e:\program files\Maxis
2009-04-24 21:14 . 2009-04-24 21:14 -------- d-----w e:\program files\MagicISO
2009-04-23 20:56 . 2009-04-23 20:56 -------- d-----w e:\program files\Common Files\Wise Installation Wizard
2009-04-20 19:07 . 2009-04-20 19:07 -------- d-----w e:\program files\TabsLock
2009-04-19 23:49 . 2009-04-19 23:49 17724 ---ha-w e:\windows\system32\mlfcache.dat
2009-04-17 23:02 . 2009-04-17 23:01 -------- d-----w e:\program files\Common Files\Adobe
2009-04-15 21:29 . 2009-04-15 21:29 3366912 ----a-w e:\windows\system32\GPhotos.scr
2009-04-11 18:41 . 2009-04-11 18:41 56 ---ha-w e:\windows\system32\ezsidmv.dat
2009-04-11 18:00 . 2009-04-11 18:00 -------- d-----w e:\program files\Common Files\Skype
2009-04-11 18:00 . 2009-04-11 18:00 -------- d-----r e:\program files\Skype
2009-04-11 18:00 . 2009-04-11 18:00 -------- d-----w e:\documents and settings\All Users\Application Data\Skype
2009-03-24 20:38 . 2009-01-28 04:31 256 ----a-w e:\windows\system32\pool.bin
2009-03-23 17:35 . 2009-03-23 17:35 13696 ----a-w e:\windows\system32\drivers\wpsnuio.sys
2009-03-22 04:34 . 2009-03-22 04:34 503808 ----a-w e:\documents and settings\Romp\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-5aab2ea9-n\msvcp71.dll
2009-03-22 04:34 . 2009-03-22 04:34 499712 ----a-w e:\documents and settings\Romp\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-5aab2ea9-n\jmc.dll
2009-03-22 04:34 . 2009-03-22 04:34 348160 ----a-w e:\documents and settings\Romp\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-5aab2ea9-n\msvcr71.dll
2009-03-22 04:33 . 2009-01-24 12:54 410984 ----a-w e:\windows\system32\deploytk.dll
2009-03-22 04:32 . 2009-03-22 04:32 152576 ----a-w e:\documents and settings\Romp\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-21 19:27 . 2009-01-28 04:54 18448 ----a-w e:\documents and settings\Romp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-20 18:26 . 2009-03-20 18:27 38208 ----a-w e:\documents and settings\Romp\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="e:\documents and settings\Romp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-21 133104]
"MSMSGS"="e:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"SpybotSD TeaTimer"="e:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Skype"="e:\program files\Skype\\Phone\Skype.exe" [2009-04-16 24264488]
"WINDLL~1.exe"="e:\windows\Config\WINDLL~1.exe" [2009-05-06 208896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"MP10_EnsureFileVer"="e:\windows\inf\unregmp2.exe" [2004-08-12 208896]
"IntelZeroConfig"="e:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="e:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2009-03-22 148888]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"igfxtray"="e:\windows\system32\igfxtray.exe" [2006-06-07 94208]
"igfxhkcmd"="e:\windows\system32\hkcmd.exe" [2006-06-07 77824]
"igfxpers"="e:\windows\system32\igfxpers.exe" [2006-06-07 118784]
"@OnlineArmor GUI"="e:\program files\Tall Emu\Online Armor\oaui.exe" [2009-04-28 2045128]
e:\documents and settings\Romp\Start Menu\Programs\Startup\
MagicDisc.lnk - e:\program files\MagicDisc\MagicDisc.exe [2009-4-26 576000]
OpenOffice.org 3.0.lnk - e:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
santa.bat [2009-5-27 181]
TabsLock.lnk - e:\program files\TabsLock\tabslock.exe [2008-10-3 208896]
VZAccess Manager.lnk.disabled [2009-2-26 1893]
e:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk.disabled [2009-1-28 1741]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "e:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-04-28 335048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BlackBerryAutoUpdate"=e:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\WINDOWS\\system32\\dplaysvr.exe"=
"e:\\Documents and Settings\\Romp\\My Documents\\Downloads\\utorrent.exe"=
"e:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"e:\\WINDOWS\\system32\\dpnsvr.exe"=
"e:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"e:\\Program Files\\Google\\Google SketchUp 7\\SketchUp.exe"=
"e:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 OADevice;OADriver;e:\windows\system32\drivers\OADriver.sys [5/28/2009 12:15 AM 198224]
R1 OAmon;OAmon;e:\windows\system32\drivers\OAmon.sys [5/28/2009 12:15 AM 31824]
R1 OAnet;OAnet;e:\windows\system32\drivers\OAnet.sys [5/28/2009 12:15 AM 29776]
R2 OAcat;Online Armor Helper Service;e:\program files\Tall Emu\Online Armor\oacat.exe [5/28/2009 12:15 AM 361672]
S2 gupdate1c99bb882e1fe0a;Google Update Service (gupdate1c99bb882e1fe0a);e:\program files\Google\Update\GoogleUpdate.exe [3/3/2009 6:28 AM 133104]
S2 SvcOnlineArmor;Online Armor;e:\program files\Tall Emu\Online Armor\oasrv.exe [5/28/2009 12:15 AM 3052744]
.
Contents of the 'Scheduled Tasks' folder
2009-05-29 e:\windows\Tasks\Google Software Updater.job
- e:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-03 23:47]
2009-05-29 e:\windows\Tasks\GoogleUpdateTaskMachine.job
- e:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 04:28]
2009-05-29 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-73586283-839522115-1004.job
- e:\documents and settings\Romp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-21 09:11]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Windows*Updates - c:\windows\system\Update.exe
HKLM-Run-Windows*Updates - c:\windows\system\Update.exe
SafeBoot-procexp90.Sys
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - e:\windows\system32\GPhotos.scr/200
TCP: {3B578110-D8AE-42BC-A5A5-FEFEB4C635D9} = 208.67.220.220,208.67.222.222
TCP: {52F65B3F-52BD-488C-8708-FDC656C0836B} = 208.67.220.220,208.67.222.222
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-30 01:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2720)
e:\windows\system32\msls31.dll
e:\windows\system32\shdoclc.dll
e:\windows\system32\msimtf.dll
e:\windows\system32\MSCTF.dll
e:\windows\system32\WPDShServiceObj.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
e:\program files\FolderSize\FolderSizeColumn.dll
e:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
e:\program files\Illustrate\dBpoweramp\dBShell.dll
e:\windows\system32\igfxpph.dll
e:\windows\system32\hccutils.DLL
e:\windows\system32\igfxres.dll
e:\windows\system32\igfxress.dll
e:\windows\system32\igfxsrvc.dll
e:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll
.
Completion time: 2009-05-29 1:34
ComboFix-quarantined-files.txt 2009-05-29 23:32
Pre-Run: 2,942,976,000 bytes free
Post-Run: 2,932,772,864 bytes free
200 --- E O F --- 2009-03-23 19:59
_________________________________________________________________
As requested, I ran DDS again, here are the two logs:
DDS (Ver_09-05-14.01) - NTFSx86
Run by Romp at 1:34:40.31 on Sat 05/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.487 [GMT 2:00]
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
============== Running Processes ===============
E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
E:\Program Files\Intel\Wireless\Bin\EvtEng.exe
E:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
E:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
E:\Program Files\Tall Emu\Online Armor\OAcat.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
E:\Program Files\FolderSize\FolderSizeSvc.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Google\Update\GoogleUpdate.exe
E:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
E:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\igfxpers.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Windows\Config\WINDLL~1.exe
E:\Program Files\MagicDisc\MagicDisc.exe
E:\Program Files\TabsLock\tabslock.exe
E:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\WINDOWS\explorer.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\WINDOWS\system32\notepad.exe
E:\Documents and Settings\Romp\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - e:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "e:\documents and settings\romp\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "e:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] e:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Skype] "e:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [WINDLL~1.exe] e:\windows\config\WINDLL~1.exe
mRun: [QuickTime Task] "e:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MP10_EnsureFileVer] e:\windows\inf\unregmp2.exe /EnsureFileVersions
mRun: [IntelZeroConfig] "e:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "e:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SunJavaUpdateSched] "e:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [igfxtray] e:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] e:\windows\system32\hkcmd.exe
mRun: [igfxpers] e:\windows\system32\igfxpers.exe
mRun: [@OnlineArmor GUI] "e:\program files\tall emu\online armor\oaui.exe"
StartupFolder: e:\docume~1\romp\startm~1\programs\startup\magicd~1.lnk - e:\program files\magicdisc\MagicDisc.exe
StartupFolder: e:\docume~1\romp\startm~1\programs\startup\openof~1.lnk - e:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: e:\documents and settings\romp\start menu\programs\startup\santa.bat
StartupFolder: e:\docume~1\romp\startm~1\programs\startup\tabslock.lnk - e:\program files\tabslock\tabslock.exe
StartupFolder: e:\documents and settings\romp\start menu\programs\startup\VZAccess Manager.lnk.disabled
StartupFolder: e:\documents and settings\all users\start menu\programs\startup\Desktop Manager.lnk.disabled
IE: Add to Google Photos Screensa&ver - e:\windows\system32\GPhotos.scr/200
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - hxxp://launch.gamespyarcade.com/software/launch/alaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: {3B578110-D8AE-42BC-A5A5-FEFEB4C635D9} = 208.67.220.220,208.67.222.222
TCP: {52F65B3F-52BD-488C-8708-FDC656C0836B} = 208.67.220.220,208.67.222.222
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - e:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - e:\progra~1\tallem~1\online~1\oaevent.dll
============= SERVICES / DRIVERS ===============
R1 OADevice;OADriver;e:\windows\system32\drivers\OADriver.sys [2009-5-28 198224]
R1 OAmon;OAmon;e:\windows\system32\drivers\OAmon.sys [2009-5-28 31824]
R1 OAnet;OAnet;e:\windows\system32\drivers\OAnet.sys [2009-5-28 29776]
R2 OAcat;Online Armor Helper Service;e:\program files\tall emu\online armor\oacat.exe [2009-5-28 361672]
S2 gupdate1c99bb882e1fe0a;Google Update Service (gupdate1c99bb882e1fe0a);e:\program files\google\update\GoogleUpdate.exe [2009-3-3 133104]
S2 SvcOnlineArmor;Online Armor;e:\program files\tall emu\online armor\oasrv.exe [2009-5-28 3052744]
=============== Created Last 30 ================
2009-05-30 01:28 <DIR> --ds---- E:\ComboFix
2009-05-30 01:20 <DIR> a-dshr-- E:\cmdcons
2009-05-30 01:18 161,792 a------- e:\windows\SWREG.exe
2009-05-30 01:18 154,624 a------- e:\windows\PEV.exe
2009-05-30 01:18 98,816 a------- e:\windows\sed.exe
2009-05-29 02:57 <DIR> --d-h--- e:\windows\PIF
2009-05-28 00:15 <DIR> --d----- e:\docume~1\romp\applic~1\OnlineArmor
2009-05-28 00:15 <DIR> --d----- e:\docume~1\alluse~1\applic~1\OnlineArmor
2009-05-28 00:15 198,224 a------- e:\windows\system32\drivers\OADriver.sys
2009-05-28 00:15 31,824 a------- e:\windows\system32\drivers\OAmon.sys
2009-05-28 00:15 29,776 a------- e:\windows\system32\drivers\OAnet.sys
2009-05-28 00:15 <DIR> --d----- e:\program files\Tall Emu
2009-05-27 22:44 <DIR> --d----- e:\program files\Trend Micro
2009-05-27 22:14 <DIR> --d----- e:\program files\testing
2009-05-27 22:13 <DIR> --d----- e:\program files\Copy of Spybot - Search & Destroy
2009-05-18 21:40 139,264 a------- e:\windows\system32\igfxres.dll
2009-05-18 02:51 <DIR> --d----- e:\program files\GameSpy Arcade
2009-05-18 02:49 <DIR> --d----- e:\program files\EA GAMES
2009-05-18 00:57 <DIR> --d----- e:\program files\Codemasters
2009-05-17 21:17 <DIR> --d----- e:\program files\ASIO4ALL v2
2009-05-15 23:09 900,015 a------- e:\windows\system32\TmpA41508625
2009-05-15 22:18 1,777,664 a------- e:\windows\system32\gdiplus.dll
2009-05-15 22:08 <DIR> --d----- e:\program files\VstPlugins
2009-05-15 22:08 1,294,336 a------- e:\windows\system32\vorbis.acm
2009-05-15 22:08 <DIR> --d----- e:\program files\Outsim
2009-05-15 22:05 <DIR> --d----- e:\program files\Image-Line
2009-05-14 14:10 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Blizzard
2009-05-13 01:05 <DIR> --d-h--- E:\C_DILLA
2009-05-13 01:05 260,096 a------- e:\windows\CDILLA32.DLL
2009-05-13 01:05 63,344 a------- e:\windows\CDILLA05.DLL
2009-05-13 01:05 57,392 a------- e:\windows\system32\drivers\CDANT.SYS
2009-05-13 01:05 55,376 a------- e:\windows\CDILLA40.DLL
2009-05-13 01:05 45,056 a------- e:\windows\CDILLA13.DLL
2009-05-13 01:05 32,256 a------- e:\windows\system32\drivers\CDANTSRV.EXE
2009-05-13 01:05 23,856 a------- e:\windows\CDILLA10.EXE
2009-05-13 01:05 7,056 a------- e:\windows\CDILLA16.EXE
2009-05-13 01:05 212,480 a------- e:\windows\system32\PCDLIB32.DLL
2009-05-13 01:05 77,312 a------- e:\windows\system32\TWAIN_32.DLL
2009-05-09 11:10 <DIR> --d----- e:\docume~1\romp\applic~1\Copy of Winamp
==================== Find3M ====================
2009-04-24 23:44 12,400 a------- e:\windows\system32\drivers\secdrv.sys
2009-04-20 01:49 17,724 a---h--- e:\windows\system32\mlfcache.dat
2009-04-15 23:29 3,366,912 a------- e:\windows\system32\GPhotos.scr
2009-03-22 06:33 410,984 a------- e:\windows\system32\deploytk.dll
2009-01-28 06:35 256 ac------ e:\documents and settings\romp\pool.bin
============= FINISH: 1:34:59.23 ===============
And:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-05-14.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/4/2009 1:57:13 AM
System Uptime: 5/30/2009 1:23:36 AM (0 hours ago)
Motherboard: Dell Inc. | | 0W9260
Processor: Intel(R) Pentium(R) M processor 1.60GHz | Microprocessor | 1595/133mhz
==== Disk Partitions =========================
D: is CDROM ()
E: is FIXED (NTFS) - 37 GiB total, 2.743 GiB free.
F: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP117: 4/26/2009 12:49:25 PM - Removed iTunes
RP118: 4/26/2009 9:54:13 PM - Removed Apple Mobile Device Support
RP119: 4/26/2009 11:54:59 PM - Installed SPORE™
RP120: 4/27/2009 12:05:42 AM - Installed SPORE™
RP121: 4/27/2009 12:14:36 AM - Installed SPORE™
RP122: 4/27/2009 12:33:12 AM - Installed SPORE™
RP123: 4/27/2009 12:47:08 AM - Removed SPORE™
RP124: 4/27/2009 12:51:06 AM - Installed SPORE™
RP125: 4/27/2009 1:16:17 AM - Installed Folder Size for Windows
RP126: 4/27/2009 1:23:50 AM - Installed SPORE™
RP127: 4/27/2009 9:07:11 PM - Removed SPORE™
RP128: 4/27/2009 9:07:59 PM - Installed SPORE™
RP129: 4/27/2009 9:12:46 PM - Installed DirectX 9.0
RP130: 4/29/2009 3:12:46 AM - System Checkpoint
RP131: 4/30/2009 3:49:55 AM - System Checkpoint
RP132: 5/1/2009 7:40:27 PM - System Checkpoint
RP133: 5/2/2009 8:04:07 PM - System Checkpoint
RP134: 5/2/2009 11:45:04 PM - Installed Pcsx2 0.9.6
RP135: 5/4/2009 1:39:27 AM - System Checkpoint
RP136: 5/5/2009 3:21:37 PM - System Checkpoint
RP137: 5/6/2009 4:29:32 PM - System Checkpoint
RP138: 5/7/2009 4:52:40 PM - System Checkpoint
RP139: 5/8/2009 7:11:11 PM - System Checkpoint
RP140: 5/8/2009 9:19:15 PM - Removed Pcsx2 0.9.6
RP141: 5/9/2009 11:22:50 PM - System Checkpoint
RP142: 5/11/2009 12:53:35 AM - System Checkpoint
RP143: 5/12/2009 1:14:47 AM - System Checkpoint
RP144: 5/13/2009 12:54:37 PM - System Checkpoint
RP145: 5/14/2009 3:30:08 PM - System Checkpoint
RP146: 5/17/2009 1:20:19 PM - Removed Google Earth.
RP147: 5/18/2009 2:51:39 AM - Installed Battlefield 1942
RP148: 5/18/2009 3:54:09 AM - Installed PunkBuster for Battlefield 1942
RP149: 5/18/2009 3:54:29 AM - Removed Battlefield 1942
RP150: 5/18/2009 3:56:56 AM - Installed Battlefield 1942
RP151: 5/26/2009 1:09:59 AM - System Checkpoint
RP152: 5/28/2009 3:29:08 AM - System Checkpoint
RP153: 5/30/2009 1:19:22 AM - ComboFix created restore point
==== Installed Programs ======================
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.1
Altruist
Apple Software Update
ArtMoney SE v7.30.3
ASIO4ALL
BlackBerry® Media Sync
Broadcom 440x 10/100 Integrated Controller
C-Dilla Licence Management System
C-Major Audio
Collab
Conexant D110 MDC V.92 Modem
dBpoweramp Music Converter
FL Studio 7
Folder Size for Windows
GameSpy Arcade
Google Chrome
Google Earth
Google SketchUp Pro 7
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB926239)
IL Download Manager
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
Java(TM) 6 Update 12
KC Softwares AudioGrail
Magic ISO Maker v5.5 (build 0265)
MagicDisc 2.7.106
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 2.0
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 6.0 Parser (KB933579)
Music Collection 2.04.630
mWlsSafe
mWMI
mZConfig
Online Armor 3.5
OpenMG Jukebox
OpenMG Network Walkman(MS) Help
OpenMG Secure Module 3.0.03
OpenOffice.org 3.0
Picasa 3
QuickTime
REAPER
Skype™ 4.0
Sony USB Driver
SPORE™
Spybot - Search & Destroy
Switch Sound File Converter
TabsLock
twhirl
V CAST Music with Rhapsody
VZAccess Manager for RIM
WebFldrs XP
Winamp
Winamp Essentials Pack
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
WinRAR archiver
==== Event Viewer Messages From Past Week ========
5/30/2009 1:24:14 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
5/30/2009 1:21:25 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
5/29/2009 3:26:19 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer NICOLAS that believes that it is the master browser for the domain on transport NetBT_Tcpip_{52F65B3F-52BD-488C-8. The master browser is stopping or an election is being forced.
5/29/2009 3:23:01 PM, error: NetBT [4319] - A duplicate name has been detected on the TCP network. The IP address of the machine that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
5/28/2009 9:58:25 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 58 time(s).
5/28/2009 9:54:04 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 57 time(s).
5/28/2009 9:49:42 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 56 time(s).
5/28/2009 9:45:21 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 55 time(s).
5/28/2009 9:40:50 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 54 time(s).
5/28/2009 9:36:19 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 53 time(s).
5/28/2009 8:29:48 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 52 time(s).
5/28/2009 8:23:57 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 51 time(s).
5/28/2009 8:19:06 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 50 time(s).
5/28/2009 8:04:35 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 49 time(s).
5/28/2009 7:59:34 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 48 time(s).
5/28/2009 7:55:12 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 47 time(s).
5/28/2009 7:50:41 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 46 time(s).
5/28/2009 7:46:20 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 45 time(s).
5/28/2009 7:38:19 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 44 time(s).
5/28/2009 7:32:48 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 43 time(s).
5/28/2009 7:28:07 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 42 time(s).
5/28/2009 7:23:36 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 41 time(s).
5/28/2009 7:15:55 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 40 time(s).
5/28/2009 7:01:44 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 39 time(s).
5/28/2009 6:45:53 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 38 time(s).
5/28/2009 6:27:52 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 37 time(s).
5/28/2009 6:23:10 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 36 time(s).
5/28/2009 6:18:29 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 35 time(s).
5/28/2009 6:14:08 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 34 time(s).
5/28/2009 6:09:37 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 33 time(s).
5/28/2009 6:05:16 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 32 time(s).
5/28/2009 6:00:55 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 31 time(s).
5/28/2009 5:56:34 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 30 time(s).
5/28/2009 5:52:13 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 29 time(s).
5/28/2009 5:47:42 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 28 time(s).
5/28/2009 5:43:21 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 27 time(s).
5/28/2009 5:39:00 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 26 time(s).
5/28/2009 5:34:39 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 25 time(s).
5/28/2009 5:30:18 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 24 time(s).
5/28/2009 5:25:47 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 23 time(s).
5/28/2009 5:20:46 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 22 time(s).
5/28/2009 5:16:25 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 21 time(s).
5/28/2009 5:12:03 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 20 time(s).
5/28/2009 5:07:42 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 19 time(s).
5/28/2009 5:00:01 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 18 time(s).
5/28/2009 4:53:00 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 17 time(s).
5/28/2009 4:47:49 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 16 time(s).
5/28/2009 4:42:18 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 15 time(s).
5/28/2009 4:37:47 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 14 time(s).
5/28/2009 4:33:15 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 13 time(s).
5/28/2009 4:28:54 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 12 time(s).
5/28/2009 4:24:03 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 11 time(s).
5/28/2009 4:19:12 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 10 time(s).
5/28/2009 4:14:51 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 9 time(s).
5/28/2009 4:10:30 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 8 time(s).
5/28/2009 4:06:09 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 7 time(s).
5/28/2009 4:01:48 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 6 time(s).
5/28/2009 3:57:27 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 5 time(s).
5/28/2009 3:53:06 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 4 time(s).
5/28/2009 3:47:35 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 3 time(s).
5/28/2009 3:43:05 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 2 time(s).
5/28/2009 3:38:37 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 1 time(s).
5/28/2009 12:06:54 PM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 83 time(s).
5/28/2009 11:59:33 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 82 time(s).
5/28/2009 11:49:52 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 81 time(s).
5/28/2009 11:45:20 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 80 time(s).
5/28/2009 11:40:59 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 79 time(s).
5/28/2009 11:33:48 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 78 time(s).
5/28/2009 11:26:57 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 77 time(s).
5/28/2009 11:22:36 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 76 time(s).
5/28/2009 11:18:14 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 75 time(s).
5/28/2009 11:13:53 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 74 time(s).
5/28/2009 11:09:32 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 73 time(s).
5/28/2009 11:05:01 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 72 time(s).
5/28/2009 11:00:40 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 71 time(s).
5/28/2009 10:56:19 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 70 time(s).
5/28/2009 10:51:37 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 69 time(s).
5/28/2009 10:47:16 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 68 time(s).
5/28/2009 10:42:45 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 67 time(s).
5/28/2009 10:38:24 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 66 time(s).
5/28/2009 10:34:03 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 65 time(s).
5/28/2009 10:29:42 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 64 time(s).
5/28/2009 10:25:10 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 63 time(s).
5/28/2009 10:17:49 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 62 time(s).
5/28/2009 10:11:28 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 61 time(s).
5/28/2009 10:07:07 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 60 time(s).
5/28/2009 10:02:46 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 59 time(s).
5/27/2009 11:00:16 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
5/27/2009 10:03:38 PM, error: Service Control Manager [7034] - The Folder Size service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:36 PM, error: Service Control Manager [7034] - The C-DillaSrv service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:21 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless SSO Service service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:18 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Service service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:13 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:03 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:01 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:02:56 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).
5/26/2009 5:18:56 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0012F0A33B4A. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
5/26/2009 5:17:26 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0012F0A33B4A. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
==== End Of File ===========================
one other thing that might be of note--I've recently installed "online armor" firewall, and it has informed me that "The program WINDLL~1.exe wants to connect to other computer." I've never seen this process before, and I don't know why it's trying to access the internet. Anyway, thanks so much for your help, I eagerly await your next instructions.
151Henry151
2009-05-30, 01:47
Sorry, I couldn't find the button to edit my previous post, but I'd forgotten to mention that upon opening Google Chrome after the reboot, it informed me that it was no longer the default web browser.
Hi again :)
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?p=315056#post315056
Collect::
e:\windows\Config\WINDLL~1.exe
Dirlook::
e:\windows\Config
File::
e:\Documents and Settings\Romp\My Documents\Downloads\utorrent.exe
DDS::
TCP: {3B578110-D8AE-42BC-A5A5-FEFEB4C635D9} = 208.67.220.220,208.67.222.222
TCP: {52F65B3F-52BD-488C-8708-FDC656C0836B} = 208.67.220.220,208.67.222.222
Folder::
e:\documents and settings\Romp\Application Data\uTorrent
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDLL~1.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"e:\\Documents and Settings\\Romp\\My Documents\\Downloads\\utorrent.exe"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. You'll be asked to submit some samples. Please follow the instructions to do so.
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 13 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. How's the system running?
151Henry151
2009-05-30, 14:27
Upon disabling Resident and rebooting my computer, I was presented with this error message: "oasrv.exe has encountered a problem and needs to close."
Promptly afterward, I received a notice from Online Armor informing me that "NIRCMD.exe wants to send WM_CLOSE message to another process" the process it was directed at was E:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe, which should be something to do with my wireless network. I clicked Block, not allowing it to close, because I've never heard of NIRCMD.exe and I was concerned that it might cut off my access to the internet. I promptly got three other notices of the same sort, directed at three other processes also related to my wireless network. I blocked them all.
I ran CFScript Combofix, log is posted below.
I ran ATF Cleaner. I don't have Opera or Firefox, I use Google Chrome.
I followed your link for java, but was not sure which one of the many "download buttons to the right" I was supposed to click. I chose "JDK 6 update 13 with Java EE" and downloaded it, then followed your directions for uninstalling all the previous versions and installing the new one.
I went to run Kaspersky Online Scanner and was informed that "Your computer doesn't meet the requirements to run Kaspersky Online Scanner 7.0. Check the system requirements in the program help." I checked the system requirements and couldn't find anything that my computer doesn't have.
One other thing I was wondering--I have an external hardrive where most of my music, photos, and documents are stored. I figured for the purposes of cleaning it would be easier to clean my laptop first, then plug in the harddrive and clean it seperately. Am I wrong to assume that? Should I be doing all this with that external harddrive plugged in?
The computer is starting to run a little faster, and I haven't noticed any random redirects recently, though they came so sporadically before that I can't be sure if they've stopped or not.
Thanks so much for your help! This computer means a lot to me, it has some 13,000 songs on it, and nearly ever photo I've ever taken, and nearly everything I've written since 6th grade. I also use it to record music, so it has some 8 or 10 half-finished songs that it would be a shame to lose. Come to think of it, I think I'll burn those to CD right now, just in case.
Thank you.
Here's the combofix log:
ComboFix 09-05-29.01 - Romp 05/30/2009 13:37.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.425 [GMT 2:00]
Running from: e:\documents and settings\Romp\Desktop\ComboFix.exe
Command switches used :: e:\documents and settings\Romp\Desktop\CFScript.txt
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
FILE ::
"e:\documents and settings\Romp\My Documents\Downloads\utorrent.exe"
file zipped: e:\windows\Config\WINDLL~1.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
e:\documents and settings\Romp\Application Data\uTorrent
e:\documents and settings\Romp\Application Data\uTorrent\-Supreme.NTM.Best.Of.2007.rar.torrent
e:\documents and settings\Romp\Application Data\uTorrent\100 Hits Pop - 100 Classics From The Last Five Decades 5CD's.torrent
e:\documents and settings\Romp\Application Data\uTorrent\25 Great Original Oldies - Vol 1.torrent
e:\documents and settings\Romp\Application Data\uTorrent\34 well-chosen hiphop songs.torrent
e:\documents and settings\Romp\Application Data\uTorrent\A Fever You Can't Sweat Out.torrent
e:\documents and settings\Romp\Application Data\uTorrent\A Masterpiece Collection.1.torrent
e:\documents and settings\Romp\Application Data\uTorrent\A Masterpiece Collection.torrent
e:\documents and settings\Romp\Application Data\uTorrent\AC DC - Full Discography.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Ace_Hood-All_Bets_On_Ace_(DJ_Khaled_&_DJ_Obscene)-2008-MIXFIEND.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Across The Universe Soundtrack.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Anais - The Love Album (2008) By Gtof MP3 ALBUM.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Arcsoft Photostudio v5.5 Crack.rar.torrent
e:\documents and settings\Romp\Application Data\uTorrent\As Tall As Lions (2006).torrent
e:\documents and settings\Romp\Application Data\uTorrent\Bob Marley Discography.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Charlie Winston.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Chemical Brothers - Surrender - 1999.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Coconut Records - Nighttiming.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Coldplay - Viva La Vida [2008][CD+SkidVid_XviD+Cov]320Kbps.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Connie Talbot - Over The Rainbow.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Desobeissance - Keny Arkana - 2008.torrent
e:\documents and settings\Romp\Application Data\uTorrent\dht.dat
e:\documents and settings\Romp\Application Data\uTorrent\dht.dat.old
e:\documents and settings\Romp\Application Data\uTorrent\Eurobeat.torrent
e:\documents and settings\Romp\Application Data\uTorrent\F 03.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Flatland.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Flight Simulator 2004(FS2004) - Full Game.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Google SketchUp Pro v7.0.10247 incl Keygen.torrent
e:\documents and settings\Romp\Application Data\uTorrent\H.P. Lovecraft-H.P. Lovecraft II(1969)[EAC-FLAC][TWR94][CR-Bt].torrent
e:\documents and settings\Romp\Application Data\uTorrent\Holy Modal Rounders-4 cd-.torrent
e:\documents and settings\Romp\Application Data\uTorrent\IGGY POP.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Jason Mraz - We Sing We Dance We Steal Things (MP3) 2Lions.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Java.torrent
e:\documents and settings\Romp\Application Data\uTorrent\John Lee Hooker - The Best of John Lee Hooker - Blues.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Joseph Arthur - All Albums.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Josh Groban - A Collection [2008][2CD+SkidVid_XviD+Cov].torrent
e:\documents and settings\Romp\Application Data\uTorrent\KCRW.com - Top Tunes January 2009.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Keny_Arkana-Entre_Ciment_Et_Belle_Etoile-CD-FR-2006-OBC-David91.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Keny_Arkana-Lesquisse-FR-2005-ff3.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Kid Rock-Rock And Roll Jesus.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Led Zeppelin - Discography (MP3@320Kbps).torrent
e:\documents and settings\Romp\Application Data\uTorrent\Lil Wayne - Tha Carter II [2005].torrent
e:\documents and settings\Romp\Application Data\uTorrent\Lil Wayne -Tha Carter III (Special Edition) (2008).torrent
e:\documents and settings\Romp\Application Data\uTorrent\Lil Wayne Discography + Mixtapes.torrent
e:\documents and settings\Romp\Application Data\uTorrent\MagicISO Maker v5.5 (Build 265) [BRAiGHTLiNG Crack][h33t][matt14].torrent
e:\documents and settings\Romp\Application Data\uTorrent\Medeski Scofield Martin and Wood - Out Louder.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Men At Work-Business As Usual (1981)-Cargo (1983)- 320k.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Merle Haggard - 2007 - Hag-The Studio Recordings 1969-76.torrent
e:\documents and settings\Romp\Application Data\uTorrent\MIA - Kala [2007][CD+SkidVid_XviD+Cov]192Kbps.torrent
e:\documents and settings\Romp\Application Data\uTorrent\MyTribe.exe.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Naturally 7 - Wall Of Sound (2009) - R&B [www.torrentazos.com].1.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Naturally 7 - Wall Of Sound (2009) - R&B [www.torrentazos.com].torrent
e:\documents and settings\Romp\Application Data\uTorrent\Now Thats What I Call Music 25 Years - 3cd's.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Oingo Boingo.torrent
e:\documents and settings\Romp\Application Data\uTorrent\OOo_3.0.1_Win32Intel_install_en-US.exe.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Paramore Discography.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Pink Floyd - full discography.torrent
e:\documents and settings\Romp\Application Data\uTorrent\PINK FLOYD - OFFICIAL DISCOGRAPHY - 1966 - 2003.torrent
e:\documents and settings\Romp\Application Data\uTorrent\pink martini - sympathique.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Public Enemy - Power To The People And The Beats - Public Enemy's Greatest Hits(MP3@320kbps)[h33t][t00_h0t].torrent
e:\documents and settings\Romp\Application Data\uTorrent\resume.dat
e:\documents and settings\Romp\Application Data\uTorrent\resume.dat.old
e:\documents and settings\Romp\Application Data\uTorrent\Ron Browz - Pop Champagne (Feat. Jim Jones).torrent
e:\documents and settings\Romp\Application Data\uTorrent\rss.dat
e:\documents and settings\Romp\Application Data\uTorrent\rss.dat.old
e:\documents and settings\Romp\Application Data\uTorrent\Sam Bush - King Of My World.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Savage Garden - Affirmation.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Sean Kingston - Sean Kingston [2007][CD+SkidVid+Cov]192Kbps.torrent
e:\documents and settings\Romp\Application Data\uTorrent\settings.dat
e:\documents and settings\Romp\Application Data\uTorrent\settings.dat.old
e:\documents and settings\Romp\Application Data\uTorrent\SimCity 4 Deluxe Incl Crack.torrent
e:\documents and settings\Romp\Application Data\uTorrent\SMV - Thunder.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Spiral Architect - A Sceptic's Universe 1999.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Spore-RELOADED.torrent
e:\documents and settings\Romp\Application Data\uTorrent\SPORE.1.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Spore.torrent
e:\documents and settings\Romp\Application Data\uTorrent\T.I.-Paper.Trail.Retail-2008-[NoFS].torrent
e:\documents and settings\Romp\Application Data\uTorrent\The Beatles Complete Discography @ 320 kbps.torrent
e:\documents and settings\Romp\Application Data\uTorrent\the best 18 techno, dance hits ....march 2009.torrent
e:\documents and settings\Romp\Application Data\uTorrent\The Doors - Discography [tRg Release].torrent
e:\documents and settings\Romp\Application Data\uTorrent\The Offspring - Discography 8CDs [16 Bonus Tracks].torrent
e:\documents and settings\Romp\Application Data\uTorrent\The Trashmen 4CD 1964-67 Surf Rock (Surfin' Bird).torrent
e:\documents and settings\Romp\Application Data\uTorrent\The Vogue Years.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Top 100 best techno.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Top 100 Hits of the 80s.torrent
e:\documents and settings\Romp\Application Data\uTorrent\VA-Eurovision Song Contest-Moscow-2009.torrent
e:\documents and settings\Romp\Application Data\uTorrent\WEEN-6 Albums.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Weezer album discography.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Yael Naim - Yael Naim (2008) - Pop.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Yael Naim.torrent
e:\documents and settings\Romp\Application Data\uTorrent\Zic de Zinc 2.torrent
e:\documents and settings\Romp\My Documents\Downloads\utorrent.exe
e:\windows\Config\WINDLL~1.exe
.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.
2009-05-29 00:57 . 2009-05-29 00:57 -------- d--h--w e:\windows\PIF
2009-05-27 22:15 . 2009-05-27 22:15 -------- d-----w e:\documents and settings\Romp\Application Data\OnlineArmor
2009-05-27 22:15 . 2009-05-27 22:15 -------- d-----w e:\documents and settings\All Users\Application Data\OnlineArmor
2009-05-27 22:15 . 2009-04-28 03:38 29776 ----a-w e:\windows\system32\drivers\OAnet.sys
2009-05-27 22:15 . 2009-04-28 03:02 31824 ----a-w e:\windows\system32\drivers\OAmon.sys
2009-05-27 22:15 . 2009-04-28 03:01 198224 ----a-w e:\windows\system32\drivers\OADriver.sys
2009-05-27 22:15 . 2009-05-27 22:15 -------- d-----w e:\program files\Tall Emu
2009-05-27 20:44 . 2009-05-27 20:44 -------- d-----w e:\program files\Trend Micro
2009-05-27 20:14 . 2009-05-27 20:14 -------- d-----w e:\program files\testing
2009-05-27 20:13 . 2009-05-27 20:13 -------- d-----w e:\program files\Copy of Spybot - Search & Destroy
2009-05-18 19:40 . 2006-06-07 01:05 139264 ----a-w e:\windows\system32\igfxres.dll
2009-05-18 00:51 . 2009-05-18 02:04 -------- d-----w e:\program files\GameSpy Arcade
2009-05-18 00:49 . 2009-05-18 00:51 -------- d-----w e:\program files\EA GAMES
2009-05-17 22:57 . 2009-05-17 22:57 -------- d-----w e:\program files\Codemasters
2009-05-17 19:17 . 2009-05-17 19:17 -------- d-----w e:\program files\ASIO4ALL v2
2009-05-15 20:18 . 2003-06-20 11:28 1777664 ----a-w e:\windows\system32\gdiplus.dll
2009-05-15 20:08 . 2009-05-17 19:17 -------- d-----w e:\program files\VstPlugins
2009-05-15 20:08 . 2009-05-15 20:08 -------- d-----w e:\program files\Outsim
2009-05-15 20:05 . 2009-05-17 19:17 -------- d-----w e:\program files\Image-Line
2009-05-14 12:10 . 2009-05-14 12:10 -------- d-----w e:\documents and settings\All Users\Application Data\Blizzard
2009-05-12 23:05 . 2009-05-12 23:05 -------- d--h--w E:\C_DILLA
2009-05-12 23:05 . 2001-09-10 17:09 57392 ----a-w e:\windows\system32\drivers\CDANT.SYS
2009-05-12 23:05 . 2001-09-10 17:09 45056 ----a-w e:\windows\CDILLA13.DLL
2009-05-12 23:05 . 2001-09-10 17:09 260096 ----a-w e:\windows\CDILLA32.DLL
2009-05-12 23:05 . 2001-09-10 17:08 32256 ----a-w e:\windows\system32\drivers\CDANTSRV.EXE
2009-05-12 23:05 . 2001-09-10 17:04 7056 ----a-w e:\windows\CDILLA16.EXE
2009-05-12 23:05 . 2001-09-10 17:04 23856 ----a-w e:\windows\CDILLA10.EXE
2009-05-12 23:05 . 2001-09-10 17:04 63344 ----a-w e:\windows\CDILLA05.DLL
2009-05-12 23:05 . 2001-09-10 15:38 55376 ----a-w e:\windows\CDILLA40.DLL
2009-05-12 23:05 . 1996-06-30 22:00 77312 ----a-w e:\windows\system32\TWAIN_32.DLL
2009-05-12 23:05 . 1995-07-31 11:44 212480 ----a-w e:\windows\system32\PCDLIB32.DLL
2009-05-09 09:10 . 2009-05-09 09:10 -------- d-----w e:\documents and settings\Romp\Application Data\Copy of Winamp
2009-05-09 09:04 . 2009-05-09 09:05 -------- d-----w e:\program files\Winamp
2009-05-02 07:01 . 2009-05-02 07:01 -------- d-----w e:\documents and settings\NetworkService\Local Settings\Application Data\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-30 11:34 . 2009-04-11 18:00 -------- d-----w e:\documents and settings\Romp\Application Data\Skype
2009-05-30 11:01 . 2009-04-11 18:41 -------- d-----w e:\documents and settings\Romp\Application Data\skypePM
2009-05-29 13:52 . 2009-01-20 06:06 -------- d-----w e:\program files\REAPER
2009-05-29 03:37 . 2009-03-03 04:26 -------- d-----w e:\documents and settings\All Users\Application Data\Google Updater
2009-05-27 21:00 . 2009-02-26 19:38 -------- d-----w e:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-27 20:14 . 2009-02-26 19:38 -------- d-----w e:\program files\Spybot - Search & Destroy
2009-05-27 17:00 . 2009-03-03 04:26 -------- d-----w e:\program files\Google
2009-05-26 14:31 . 2009-03-08 11:56 1 ----a-w e:\documents and settings\Romp\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-25 23:10 . 2009-01-06 04:05 -------- d--h--w e:\program files\InstallShield Installation Information
2009-05-18 02:04 . 2009-04-24 21:32 738 ----a-w e:\windows\eReg.dat
2009-05-14 17:33 . 2009-04-23 22:00 -------- d-----w e:\program files\My Tribe
2009-05-09 09:13 . 2009-02-26 19:52 -------- d-----w e:\documents and settings\Romp\Application Data\Winamp
2009-04-27 19:13 . 2009-04-27 19:13 -------- d-----w e:\documents and settings\Romp\Application Data\SPORE
2009-04-27 00:21 . 2009-04-27 00:21 386560 ----a-w e:\documents and settings\Romp\Application Data\Free-backup.info\JustZIPit\JustZIPit.exe
2009-04-27 00:21 . 2009-04-27 00:21 -------- d-----w e:\documents and settings\Romp\Application Data\Free-backup.info
2009-04-26 23:16 . 2009-04-26 23:16 -------- d-----w e:\program files\FolderSize
2009-04-26 21:41 . 2009-04-26 21:41 -------- d-----w e:\program files\MagicDisc
2009-04-26 19:53 . 2009-04-24 18:34 -------- d-----w e:\program files\DebugMode
2009-04-26 10:50 . 2009-01-04 02:18 -------- d-----w e:\program files\Numark Cue
2009-04-26 10:46 . 2009-01-28 04:31 -------- d-----w e:\documents and settings\Romp\Application Data\Research In Motion
2009-04-26 10:46 . 2009-01-28 03:34 -------- d-----w e:\program files\Research In Motion
2009-04-26 10:46 . 2009-01-28 03:34 -------- d-----w e:\program files\Common Files\Research In Motion
2009-04-25 21:55 . 2009-04-25 17:19 -------- d-----w e:\program files\ArtMoney
2009-04-24 21:44 . 2004-08-12 14:04 12400 ----a-w e:\windows\system32\drivers\secdrv.sys
2009-04-24 21:31 . 2009-04-24 21:31 -------- d-----w e:\program files\Maxis
2009-04-24 21:14 . 2009-04-24 21:14 -------- d-----w e:\program files\MagicISO
2009-04-23 20:56 . 2009-04-23 20:56 -------- d-----w e:\program files\Common Files\Wise Installation Wizard
2009-04-20 19:07 . 2009-04-20 19:07 -------- d-----w e:\program files\TabsLock
2009-04-19 23:49 . 2009-04-19 23:49 17724 ---ha-w e:\windows\system32\mlfcache.dat
2009-04-17 23:02 . 2009-04-17 23:01 -------- d-----w e:\program files\Common Files\Adobe
2009-04-15 21:29 . 2009-04-15 21:29 3366912 ----a-w e:\windows\system32\GPhotos.scr
2009-04-11 18:41 . 2009-04-11 18:41 56 ---ha-w e:\windows\system32\ezsidmv.dat
2009-04-11 18:00 . 2009-04-11 18:00 -------- d-----w e:\program files\Common Files\Skype
2009-04-11 18:00 . 2009-04-11 18:00 -------- d-----r e:\program files\Skype
2009-04-11 18:00 . 2009-04-11 18:00 -------- d-----w e:\documents and settings\All Users\Application Data\Skype
2009-03-24 20:38 . 2009-01-28 04:31 256 ----a-w e:\windows\system32\pool.bin
2009-03-23 17:35 . 2009-03-23 17:35 13696 ----a-w e:\windows\system32\drivers\wpsnuio.sys
2009-03-22 04:34 . 2009-03-22 04:34 503808 ----a-w e:\documents and settings\Romp\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-5aab2ea9-n\msvcp71.dll
2009-03-22 04:34 . 2009-03-22 04:34 499712 ----a-w e:\documents and settings\Romp\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-5aab2ea9-n\jmc.dll
2009-03-22 04:34 . 2009-03-22 04:34 348160 ----a-w e:\documents and settings\Romp\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-5aab2ea9-n\msvcr71.dll
2009-03-22 04:33 . 2009-01-24 12:54 410984 ----a-w e:\windows\system32\deploytk.dll
2009-03-22 04:32 . 2009-03-22 04:32 152576 ----a-w e:\documents and settings\Romp\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-21 19:27 . 2009-01-28 04:54 18448 ----a-w e:\documents and settings\Romp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-20 18:26 . 2009-03-20 18:27 38208 ----a-w e:\documents and settings\Romp\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of e:\windows\Config ----
2009-05-08 16:40 . 2009-05-08 16:40 241664 ---h--w e:\windows\Config\RULOG3~1.exe
2009-05-06 20:51 . 2009-05-30 11:37 208896 ----a-w e:\windows\Config\WINDLL~1.exe
((((((((((((((((((((((((((((( SnapShot@2009-05-29_23.31.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-30 11:01 . 2009-05-30 11:01 16384 e:\windows\Temp\Perflib_Perfdata_718.dat
+ 2009-05-30 11:29 . 2009-05-30 11:29 16384 e:\windows\Temp\Perflib_Perfdata_670.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="e:\documents and settings\Romp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-21 133104]
"MSMSGS"="e:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"Skype"="e:\program files\Skype\\Phone\Skype.exe" [2009-04-16 24264488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"MP10_EnsureFileVer"="e:\windows\inf\unregmp2.exe" [2004-08-12 208896]
"IntelZeroConfig"="e:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="e:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2009-03-22 148888]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"igfxtray"="e:\windows\system32\igfxtray.exe" [2006-06-07 94208]
"igfxhkcmd"="e:\windows\system32\hkcmd.exe" [2006-06-07 77824]
"igfxpers"="e:\windows\system32\igfxpers.exe" [2006-06-07 118784]
"@OnlineArmor GUI"="e:\program files\Tall Emu\Online Armor\oaui.exe" [2009-04-28 2045128]
e:\documents and settings\Romp\Start Menu\Programs\Startup\
MagicDisc.lnk - e:\program files\MagicDisc\MagicDisc.exe [2009-4-26 576000]
OpenOffice.org 3.0.lnk - e:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
santa.bat [2009-5-27 181]
TabsLock.lnk - e:\program files\TabsLock\tabslock.exe [2008-10-3 208896]
VZAccess Manager.lnk.disabled [2009-2-26 1893]
e:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk.disabled [2009-1-28 1741]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "e:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-04-28 335048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BlackBerryAutoUpdate"=e:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\WINDOWS\\system32\\dplaysvr.exe"=
"e:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"e:\\WINDOWS\\system32\\dpnsvr.exe"=
"e:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"e:\\Program Files\\Google\\Google SketchUp 7\\SketchUp.exe"=
"e:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 OADevice;OADriver;e:\windows\system32\drivers\OADriver.sys [5/28/2009 12:15 AM 198224]
R1 OAmon;OAmon;e:\windows\system32\drivers\OAmon.sys [5/28/2009 12:15 AM 31824]
R1 OAnet;OAnet;e:\windows\system32\drivers\OAnet.sys [5/28/2009 12:15 AM 29776]
R2 OAcat;Online Armor Helper Service;e:\program files\Tall Emu\Online Armor\oacat.exe [5/28/2009 12:15 AM 361672]
R2 SvcOnlineArmor;Online Armor;e:\program files\Tall Emu\Online Armor\oasrv.exe [5/28/2009 12:15 AM 3052744]
S2 gupdate1c99bb882e1fe0a;Google Update Service (gupdate1c99bb882e1fe0a);e:\program files\Google\Update\GoogleUpdate.exe [3/3/2009 6:28 AM 133104]
.
Contents of the 'Scheduled Tasks' folder
2009-05-30 e:\windows\Tasks\Google Software Updater.job
- e:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-03 23:47]
2009-05-30 e:\windows\Tasks\GoogleUpdateTaskMachine.job
- e:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 04:28]
2009-05-30 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-73586283-839522115-1004.job
- e:\documents and settings\Romp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-21 09:11]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - e:\windows\system32\GPhotos.scr/200
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-30 13:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-05-30 13:47
ComboFix-quarantined-files.txt 2009-05-30 11:47
ComboFix2.txt 2009-05-29 23:34
Pre-Run: 2,839,334,912 bytes free
Post-Run: 2,828,103,680 bytes free
278 --- E O F --- 2009-03-23 19:59
Upload was successful
___________________________________________________________________________________________________________________
and DDS log number one:
DDS (Ver_09-05-14.01) - NTFSx86
Run by Romp at 14:20:32.18 on Sat 05/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.404 [GMT 2:00]
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
============== Running Processes ===============
E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
E:\Program Files\Intel\Wireless\Bin\EvtEng.exe
E:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
E:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
E:\Program Files\Tall Emu\Online Armor\OAcat.exe
E:\Program Files\Tall Emu\Online Armor\oasrv.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
E:\Program Files\FolderSize\FolderSizeSvc.exe
E:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
E:\Program Files\Google\Update\GoogleUpdate.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
E:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
E:\WINDOWS\system32\igfxpers.exe
E:\Program Files\Tall Emu\Online Armor\oaui.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Tall Emu\Online Armor\OAhlp.exe
E:\Program Files\Skype\Phone\Skype.exe
E:\Program Files\MagicDisc\MagicDisc.exe
E:\Program Files\TabsLock\tabslock.exe
E:\Program Files\OpenOffice.org 3\program\soffice.exe
E:\Program Files\OpenOffice.org 3\program\soffice.bin
E:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Program Files\Skype\Plugin Manager\skypePM.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Romp\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Romp\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - e:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "e:\documents and settings\romp\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "e:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "e:\program files\skype\\phone\Skype.exe" /nosplash /minimized
mRun: [QuickTime Task] "e:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MP10_EnsureFileVer] e:\windows\inf\unregmp2.exe /EnsureFileVersions
mRun: [IntelZeroConfig] "e:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "e:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [igfxtray] e:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] e:\windows\system32\hkcmd.exe
mRun: [igfxpers] e:\windows\system32\igfxpers.exe
mRun: [@OnlineArmor GUI] "e:\program files\tall emu\online armor\oaui.exe"
StartupFolder: e:\docume~1\romp\startm~1\programs\startup\magicd~1.lnk - e:\program files\magicdisc\MagicDisc.exe
StartupFolder: e:\docume~1\romp\startm~1\programs\startup\openof~1.lnk - e:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: e:\documents and settings\romp\start menu\programs\startup\santa.bat
StartupFolder: e:\docume~1\romp\startm~1\programs\startup\sdktra~1.lnk - e:\sun\sdk\jdk\bin\javaw.exe
StartupFolder: e:\docume~1\romp\startm~1\programs\startup\tabslock.lnk - e:\program files\tabslock\tabslock.exe
StartupFolder: e:\documents and settings\romp\start menu\programs\startup\VZAccess Manager.lnk.disabled
StartupFolder: e:\documents and settings\all users\start menu\programs\startup\Desktop Manager.lnk.disabled
IE: Add to Google Photos Screensa&ver - e:\windows\system32\GPhotos.scr/200
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - hxxp://launch.gamespyarcade.com/software/launch/alaunch.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - e:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - e:\progra~1\tallem~1\online~1\oaevent.dll
============= SERVICES / DRIVERS ===============
R1 OADevice;OADriver;e:\windows\system32\drivers\OADriver.sys [2009-5-28 198224]
R1 OAmon;OAmon;e:\windows\system32\drivers\OAmon.sys [2009-5-28 31824]
R1 OAnet;OAnet;e:\windows\system32\drivers\OAnet.sys [2009-5-28 29776]
R2 OAcat;Online Armor Helper Service;e:\program files\tall emu\online armor\oacat.exe [2009-5-28 361672]
R2 SvcOnlineArmor;Online Armor;e:\program files\tall emu\online armor\oasrv.exe [2009-5-28 3052744]
S2 gupdate1c99bb882e1fe0a;Google Update Service (gupdate1c99bb882e1fe0a);e:\program files\google\update\GoogleUpdate.exe [2009-3-3 133104]
=============== Created Last 30 ================
2009-05-30 14:13 23,108 a------- e:\windows\system32\productregistry
2009-05-30 14:12 <DIR> --d----- E:\Sun
2009-05-30 13:36 <DIR> --ds---- E:\ComboFix
2009-05-30 01:20 <DIR> a-dshr-- E:\cmdcons
2009-05-30 01:18 161,792 a------- e:\windows\SWREG.exe
2009-05-30 01:18 154,624 a------- e:\windows\PEV.exe
2009-05-30 01:18 98,816 a------- e:\windows\sed.exe
2009-05-29 02:57 <DIR> --d-h--- e:\windows\PIF
2009-05-28 00:15 <DIR> --d----- e:\docume~1\romp\applic~1\OnlineArmor
2009-05-28 00:15 <DIR> --d----- e:\docume~1\alluse~1\applic~1\OnlineArmor
2009-05-28 00:15 198,224 a------- e:\windows\system32\drivers\OADriver.sys
2009-05-28 00:15 31,824 a------- e:\windows\system32\drivers\OAmon.sys
2009-05-28 00:15 29,776 a------- e:\windows\system32\drivers\OAnet.sys
2009-05-28 00:15 <DIR> --d----- e:\program files\Tall Emu
2009-05-27 22:44 <DIR> --d----- e:\program files\Trend Micro
2009-05-27 22:14 <DIR> --d----- e:\program files\testing
2009-05-27 22:13 <DIR> --d----- e:\program files\Copy of Spybot - Search & Destroy
2009-05-18 21:40 139,264 a------- e:\windows\system32\igfxres.dll
2009-05-18 02:51 <DIR> --d----- e:\program files\GameSpy Arcade
2009-05-18 02:49 <DIR> --d----- e:\program files\EA GAMES
2009-05-18 00:57 <DIR> --d----- e:\program files\Codemasters
2009-05-17 21:17 <DIR> --d----- e:\program files\ASIO4ALL v2
2009-05-15 23:09 900,015 a------- e:\windows\system32\TmpA41508625
2009-05-15 22:18 1,777,664 a------- e:\windows\system32\gdiplus.dll
2009-05-15 22:08 <DIR> --d----- e:\program files\VstPlugins
2009-05-15 22:08 1,294,336 a------- e:\windows\system32\vorbis.acm
2009-05-15 22:08 <DIR> --d----- e:\program files\Outsim
2009-05-15 22:05 <DIR> --d----- e:\program files\Image-Line
2009-05-14 14:10 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Blizzard
2009-05-13 01:05 <DIR> --d-h--- E:\C_DILLA
2009-05-13 01:05 260,096 a------- e:\windows\CDILLA32.DLL
2009-05-13 01:05 63,344 a------- e:\windows\CDILLA05.DLL
2009-05-13 01:05 57,392 a------- e:\windows\system32\drivers\CDANT.SYS
2009-05-13 01:05 55,376 a------- e:\windows\CDILLA40.DLL
2009-05-13 01:05 45,056 a------- e:\windows\CDILLA13.DLL
2009-05-13 01:05 32,256 a------- e:\windows\system32\drivers\CDANTSRV.EXE
2009-05-13 01:05 23,856 a------- e:\windows\CDILLA10.EXE
2009-05-13 01:05 7,056 a------- e:\windows\CDILLA16.EXE
2009-05-13 01:05 212,480 a------- e:\windows\system32\PCDLIB32.DLL
2009-05-13 01:05 77,312 a------- e:\windows\system32\TWAIN_32.DLL
2009-05-09 11:10 <DIR> --d----- e:\docume~1\romp\applic~1\Copy of Winamp
==================== Find3M ====================
2009-04-24 23:44 12,400 a------- e:\windows\system32\drivers\secdrv.sys
2009-04-20 01:49 17,724 a---h--- e:\windows\system32\mlfcache.dat
2009-04-15 23:29 3,366,912 a------- e:\windows\system32\GPhotos.scr
2009-03-22 06:33 410,984 a------- e:\windows\system32\deploytk.dll
2009-01-28 06:35 256 ac------ e:\documents and settings\romp\pool.bin
============= FINISH: 14:21:40.65 ===============
_____________________________________________________________________________________________________________
And DDS log number two:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-05-14.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/4/2009 1:57:13 AM
System Uptime: 5/30/2009 1:51:40 PM (1 hours ago)
Motherboard: Dell Inc. | | 0W9260
Processor: Intel(R) Pentium(R) M processor 1.60GHz | Microprocessor | 1596/133mhz
==== Disk Partitions =========================
D: is CDROM ()
E: is FIXED (NTFS) - 37 GiB total, 2.143 GiB free.
F: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP117: 4/26/2009 12:49:25 PM - Removed iTunes
RP118: 4/26/2009 9:54:13 PM - Removed Apple Mobile Device Support
RP119: 4/26/2009 11:54:59 PM - Installed SPORE™
RP120: 4/27/2009 12:05:42 AM - Installed SPORE™
RP121: 4/27/2009 12:14:36 AM - Installed SPORE™
RP122: 4/27/2009 12:33:12 AM - Installed SPORE™
RP123: 4/27/2009 12:47:08 AM - Removed SPORE™
RP124: 4/27/2009 12:51:06 AM - Installed SPORE™
RP125: 4/27/2009 1:16:17 AM - Installed Folder Size for Windows
RP126: 4/27/2009 1:23:50 AM - Installed SPORE™
RP127: 4/27/2009 9:07:11 PM - Removed SPORE™
RP128: 4/27/2009 9:07:59 PM - Installed SPORE™
RP129: 4/27/2009 9:12:46 PM - Installed DirectX 9.0
RP130: 4/29/2009 3:12:46 AM - System Checkpoint
RP131: 4/30/2009 3:49:55 AM - System Checkpoint
RP132: 5/1/2009 7:40:27 PM - System Checkpoint
RP133: 5/2/2009 8:04:07 PM - System Checkpoint
RP134: 5/2/2009 11:45:04 PM - Installed Pcsx2 0.9.6
RP135: 5/4/2009 1:39:27 AM - System Checkpoint
RP136: 5/5/2009 3:21:37 PM - System Checkpoint
RP137: 5/6/2009 4:29:32 PM - System Checkpoint
RP138: 5/7/2009 4:52:40 PM - System Checkpoint
RP139: 5/8/2009 7:11:11 PM - System Checkpoint
RP140: 5/8/2009 9:19:15 PM - Removed Pcsx2 0.9.6
RP141: 5/9/2009 11:22:50 PM - System Checkpoint
RP142: 5/11/2009 12:53:35 AM - System Checkpoint
RP143: 5/12/2009 1:14:47 AM - System Checkpoint
RP144: 5/13/2009 12:54:37 PM - System Checkpoint
RP145: 5/14/2009 3:30:08 PM - System Checkpoint
RP146: 5/17/2009 1:20:19 PM - Removed Google Earth.
RP147: 5/18/2009 2:51:39 AM - Installed Battlefield 1942
RP148: 5/18/2009 3:54:09 AM - Installed PunkBuster for Battlefield 1942
RP149: 5/18/2009 3:54:29 AM - Removed Battlefield 1942
RP150: 5/18/2009 3:56:56 AM - Installed Battlefield 1942
RP151: 5/26/2009 1:09:59 AM - System Checkpoint
RP152: 5/28/2009 3:29:08 AM - System Checkpoint
RP153: 5/30/2009 1:19:22 AM - ComboFix created restore point
RP154: 5/30/2009 2:08:41 PM - Removed Java(TM) 6 Update 12
==== Installed Programs ======================
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.1
Altruist
Apple Software Update
ArtMoney SE v7.30.3
ASIO4ALL
BlackBerry® Media Sync
Broadcom 440x 10/100 Integrated Controller
C-Dilla Licence Management System
C-Major Audio
Collab
Conexant D110 MDC V.92 Modem
dBpoweramp Music Converter
FL Studio 7
Folder Size for Windows
GameSpy Arcade
Google Chrome
Google Earth
Google SketchUp Pro 7
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB926239)
IL Download Manager
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
Java Platform, Enterprise Edition 5 SDK
KC Softwares AudioGrail
Magic ISO Maker v5.5 (build 0265)
MagicDisc 2.7.106
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 2.0
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 6.0 Parser (KB933579)
Music Collection 2.04.630
mWlsSafe
mWMI
mZConfig
Online Armor 3.5
OpenMG Jukebox
OpenMG Network Walkman(MS) Help
OpenMG Secure Module 3.0.03
OpenOffice.org 3.0
Picasa 3
QuickTime
REAPER
Skype™ 4.0
Sony USB Driver
SPORE™
Spybot - Search & Destroy
Switch Sound File Converter
TabsLock
twhirl
V CAST Music with Rhapsody
VZAccess Manager for RIM
WebFldrs XP
Winamp
Winamp Essentials Pack
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
WinRAR archiver
==== Event Viewer Messages From Past Week ========
5/30/2009 2:09:33 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
5/30/2009 1:24:14 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
5/30/2009 1:21:25 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
5/30/2009 1:04:47 PM, error: HTTP [15005] - Unable to bind to the underlying transport for 0.0.0.0:2869. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine. The data field contains the error number.
5/29/2009 3:26:19 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer NICOLAS that believes that it is the master browser for the domain on transport NetBT_Tcpip_{52F65B3F-52BD-488C-8. The master browser is stopping or an election is being forced.
5/29/2009 3:23:01 PM, error: NetBT [4319] - A duplicate name has been detected on the TCP network. The IP address of the machine that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
5/28/2009 9:58:25 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 58 time(s).
5/28/2009 9:54:04 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 57 time(s).
5/28/2009 9:49:42 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 56 time(s).
5/28/2009 9:45:21 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 55 time(s).
5/28/2009 9:40:50 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 54 time(s).
5/28/2009 9:36:19 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 53 time(s).
5/28/2009 8:29:48 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 52 time(s).
5/28/2009 8:23:57 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 51 time(s).
5/28/2009 8:19:06 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 50 time(s).
5/28/2009 8:04:35 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 49 time(s).
5/28/2009 7:59:34 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 48 time(s).
5/28/2009 7:55:12 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 47 time(s).
5/28/2009 7:50:41 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 46 time(s).
5/28/2009 7:46:20 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 45 time(s).
5/28/2009 7:38:19 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 44 time(s).
5/28/2009 7:32:48 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 43 time(s).
5/28/2009 7:28:07 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 42 time(s).
5/28/2009 7:23:36 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 41 time(s).
5/28/2009 7:15:55 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 40 time(s).
5/28/2009 7:01:44 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 39 time(s).
5/28/2009 6:45:53 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 38 time(s).
5/28/2009 6:27:52 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 37 time(s).
5/28/2009 6:23:10 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 36 time(s).
5/28/2009 6:18:29 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 35 time(s).
5/28/2009 6:14:08 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 34 time(s).
5/28/2009 6:09:37 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 33 time(s).
5/28/2009 6:05:16 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 32 time(s).
5/28/2009 6:00:55 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 31 time(s).
5/28/2009 5:56:34 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 30 time(s).
5/28/2009 5:52:13 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 29 time(s).
5/28/2009 5:47:42 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 28 time(s).
5/28/2009 5:43:21 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 27 time(s).
5/28/2009 5:39:00 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 26 time(s).
5/28/2009 5:34:39 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 25 time(s).
5/28/2009 5:30:18 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 24 time(s).
5/28/2009 5:25:47 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 23 time(s).
5/28/2009 5:20:46 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 22 time(s).
5/28/2009 5:16:25 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 21 time(s).
5/28/2009 5:12:03 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 20 time(s).
5/28/2009 5:07:42 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 19 time(s).
5/28/2009 5:00:01 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 18 time(s).
5/28/2009 4:53:00 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 17 time(s).
5/28/2009 4:47:49 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 16 time(s).
5/28/2009 4:42:18 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 15 time(s).
5/28/2009 4:37:47 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 14 time(s).
5/28/2009 4:33:15 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 13 time(s).
5/28/2009 4:28:54 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 12 time(s).
5/28/2009 4:24:03 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 11 time(s).
5/28/2009 4:19:12 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 10 time(s).
5/28/2009 4:14:51 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 9 time(s).
5/28/2009 4:10:30 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 8 time(s).
5/28/2009 4:06:09 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 7 time(s).
5/28/2009 4:01:48 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 6 time(s).
5/28/2009 3:57:27 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 5 time(s).
5/28/2009 3:53:06 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 4 time(s).
5/28/2009 3:47:35 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 3 time(s).
5/28/2009 3:43:05 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 2 time(s).
5/28/2009 3:38:37 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 1 time(s).
5/28/2009 12:06:54 PM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 83 time(s).
5/28/2009 11:59:33 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 82 time(s).
5/28/2009 11:49:52 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 81 time(s).
5/28/2009 11:45:20 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 80 time(s).
5/28/2009 11:40:59 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 79 time(s).
5/28/2009 11:33:48 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 78 time(s).
5/28/2009 11:26:57 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 77 time(s).
5/28/2009 11:22:36 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 76 time(s).
5/28/2009 11:18:14 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 75 time(s).
5/28/2009 11:13:53 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 74 time(s).
5/28/2009 11:09:32 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 73 time(s).
5/28/2009 11:05:01 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 72 time(s).
5/28/2009 11:00:40 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 71 time(s).
5/28/2009 10:56:19 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 70 time(s).
5/28/2009 10:51:37 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 69 time(s).
5/28/2009 10:47:16 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 68 time(s).
5/28/2009 10:42:45 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 67 time(s).
5/28/2009 10:38:24 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 66 time(s).
5/28/2009 10:34:03 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 65 time(s).
5/28/2009 10:29:42 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 64 time(s).
5/28/2009 10:25:10 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 63 time(s).
5/28/2009 10:17:49 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 62 time(s).
5/28/2009 10:11:28 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 61 time(s).
5/28/2009 10:07:07 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 60 time(s).
5/28/2009 10:02:46 AM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 59 time(s).
5/27/2009 10:03:38 PM, error: Service Control Manager [7034] - The Folder Size service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:36 PM, error: Service Control Manager [7034] - The C-DillaSrv service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:21 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless SSO Service service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:18 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Service service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:13 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:03 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:03:01 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:02:56 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).
5/26/2009 5:18:56 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0012F0A33B4A. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
5/26/2009 5:17:26 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0012F0A33B4A. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
5/25/2009 10:27:05 AM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
==== End Of File ===========================
151Henry151
2009-05-30, 15:29
Another quick comment--Please don't take this as arrogance, I only wish to save you some time--I'm fairly computer literate, so you needn't spell things out to such a great degree, with screen shots and step-by-step descriptions for every direction. If you're copying and pasting from previous posts and it's more convenient for you to give these specific, detailed instructions, by all means do, but if you'd rather, you can forgo the screen shots and "click ok on the next dialog, check the agree to terms and services box and click next.." etc. etc.
Just hoping to save you some time so that more people might benefit from your assistance :)
151Henry151
2009-05-30, 16:39
Update--Just had some trouble with Chrome, twice in a row. Opened it and everything indicated it was working properly, but instead of any websites appearing (or even the new tab page appearing) I just got a blank screen. Any url, same blank white screen.
Rebooting chrome didn't help, but rebooting the computer fixed the problem until the next time I rebooted Chrome--Then same problem, same fix, rebooting the computer.
Also, tried Kaspersky again, and this time Google Chrome gave me a little alert, saying I didn't have the proper plugin, Java. I downloaded the java plugin for chrome, but I still got the same "your computer doesn't meet the requirements" message from Kaspersky.
151Henry151
2009-05-30, 17:58
Another update: Determined Kaspersky won't run in Google Chrome, opened it in Internet Explorer, and am currently scanning, will post log shortly.
151Henry151
2009-05-30, 20:22
Kaspersky scan completed with the following result:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 30, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, May 30, 2009 16:57:36
Records in database: 2278944
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
D:\
E:\
F:\
Scan statistics:
Files scanned: 57610
Threat name: 4
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:25:01
File name / Threat name / Threats count
E:\Qoobox\Quarantine\[4]-Submit_2009-05-30_13.37.17.zip Infected: Backdoor.Win32.VB.inv 1
E:\System Volume Information\_restore{D76635BC-D33E-4E7F-9AC4-0CDD38E6173E}\RP153\A0050322.com Infected: Trojan.Win32.TDSS.acpq 1
E:\WINDOWS\Downloaded Program Files\gsda.dll Infected: not-a-virus:Downloader.Win32.SpyGame 1
E:\WINDOWS\system32\updater.txt Infected: Trojan-Downloader.Win32.VB.mkm 1
The selected area was scanned.
It appears I've got a few infections.
Hi again,
Did you have external hard drive plugged in during Kaspersky online scanner run? If not, please plug the drive in. We'll scan it a bit later.
Then what it comes to instructions. Well, I have to write those keeping in mind that not all users are so good with computers. It's easier to create kind of template that is easy for illiterate user to follow. For literate users it may sometimes look a bit funny :)
Open notepad and copy/paste the text in the quotebox below into it:
File::
E:\WINDOWS\Downloaded Program Files\gsda.dll
E:\WINDOWS\system32\updater.txt
Folder::
e:\windows\config
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Re-run Kaspersky online scanner and post back its report & a fresh dds.txt log.
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.