View Full Version : Spybot S&D not loading up, programs not installing, and Google redirects.
Hi,
Windows Vista user here, I seem to have caught a few nasty viruses which are doing the following:
1) Spybot S&D will not load. The .exe file seems to be missing from the install folder. I have uninstalled it for the time being.
2) Google searches are redirecting me to weird adware sites. This happens in Mozilla and IE (Mozilla is my main browser).
3) I read the stickies and tried to install HJT, but the first time I tried to install it I got the blue screen of death (have not seen that for a while). The second time I tried it does not seem to have installed correctly. I have a shortcut on the desktop (which doesn't work) and in the install directory I have one .exe file (does not run).
Any help with this would be much appreciated.
pskelley
2009-06-11, 13:26
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You must have read and followed the "Before you Post" instructions.
HijackThis is a starting point, please try this self-installer:
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
You may also try changing the name of the executable before saving it to the Desktop to anoney.exe. This is the hackers work, the junk they put on your computer is looking for programs like HJT and blocks them.
As far as Spybot S&D goes, it is a good program but likely will not remove this junk, so don't try to run it again until we remove the junk.
Thanks
Hi pskelley. Thank you very much for helping me with my problem.
I read the "BEFORE you POST" link and I understand all that is required of me in this process.
I tried to reinstall HJT as per your instructions, but I got the blue screen of death again. I tried to rename the installer to anoney.exe but again after clicking the INSTALL button I get the blue screen of death.
pskelley
2009-06-11, 16:03
Are you using a router?
BSOD's come with error messages, please post any error message you receive "word for word" Please keep in mind as we proceed, that you are in front of the computer and I depend on your feedback to know what occurs.
http://kadaitcha.cx/vista/index.html
http://www.edbott.com/weblog/?p=576
http://www.google.com/search?hl=en&ei=jQ0xSrf7C57KtgeCtenXBQ&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=troubleshoot+BSOD&spell=1
Thanks
Yes, I am using a router to connect to the internet.
I tried reinstalling HJT one more time, and after pressing the INSTALL button nothing happened. I checked my PROGRAM FILES directory and found the TREND MICRO folder, with a HIJACKTHIS folder in it, and then a single file called hijackthis.exe in that folder. I tried to run that file and got the BSOD. Here is the error info of that BSOD as was shown:
Technical Information:
*** STOP: 0x0000008E (0xC0000005, 0x81A740B4, 0x97B8F3A4, 0x00000000)
pskelley
2009-06-11, 16:36
That's for the feedback, if I have not mentioned it, do not expect this to be easy. The hackers do all they can to keep you from removing their junk.
Have a look at this information:
http://blog.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html
Sure you got that error exact? Here is what Google has to say:
http://www.google.com/search?hl=en&q=STOP%3A+0x0000008E+%280xC0000005%2C+0x81A740B4%2C+0x97B8F3A4%2C+0x00000000%29+&btnG=Google+Search&aq=f&oq=&aqi=
Your search - STOP: 0x0000008E (0xC0000005, 0x81A740B4, 0x97B8F3A4, 0x00000000) - did not match any documents.
It is very rare when that happens?
See if you can get combofix to run, be sure you read and follow these directions carefully.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from here:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
I just got the BSOD again after trying to run that single .exe file found in c:\Program Files\Trend Micro\Hijackthis folder. There was a new error message this time:
*** STOP: 0x0000008E (0xC0000005, 0x81AA60B4, 0x953CB3A4, 0x00000000)
I have not yet followed your instructions for combofix, because I thought it best to run this new BSOD error message by you first. Should I now run combofix as per your instructions?
pskelley
2009-06-11, 16:57
*** STOP: 0x0000008E (0xC0000005, 0x81AA60B4, 0x953CB3A4, 0x00000000) <<< returns nothing when Googled, please follow the directions to run combofix.
Thanks
I followed your instructions carefully for using combofix, but when I double-click the file to run it nothing happens. I am using Windows Vista so the UAE window comes up when I double-click it, but after that nothing happens.
Sorry, I meant the UAC prompt windows comes up, but after that nothing.
pskelley
2009-06-11, 17:20
Unfortunately I can not do this for you, and the hackers keep changing their junk so we never know what will work.
Give this a try:
Make sure you run all tools on Vista as Administrator
You must rename it before saving it, save it to your Desktop.
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
I tried what you suggested and it worked! About one minute into its operation, ComboFix produced the following message:
ComboFix has detected the presence of rootkit activity and needs to reboot the machine.
Kindly note down on paper, the name of each file. We may need it later.
C:\Windows\system32\drivers\gxvxcsgfcbdcdiibomyqopqlvvvtlrxetrnxu.sys
C:\Windows\system32\gxvxcditltusswqqhfhcvimxewmfcvuwccbby.dll
C:\Windows\system32\gxvxceoubtxapdjtrtkepnaeaybsvrmbhmbgx.dll
After rebooting, ComboFix finished running and produced the following log:
ComboFix 09-06-10.02 - Majid 11/06/2009 16:51.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.44.1033.18.2429.1596 [GMT 1:00]
Running from: c:\users\Majid\Desktop\Combo-Fix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET NOD32 Antivirus 3.0 *disabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
c:\windows\system32\drivers\gxvxcsgfcbdcdiibomyqopqlvvvtlrxetrnxu.sys
c:\windows\system32\gxvxccount
c:\windows\system32\gxvxcditltusswqqhfhcvimxewmfcvuwccbby.dll
c:\windows\system32\gxvxceoubtxapdjtrtkepnaeaybsvrmbhmbgx.dll
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
D:\Autorun.inf
F:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_GXVXCSERV.SYS
((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.
2009-06-11 15:56 . 2009-06-11 15:56 -------- d-----w- c:\users\Majid\AppData\Local\temp
2009-06-10 14:52 . 2009-06-10 14:52 -------- d-----w- c:\program files\ERUNT
2009-06-09 22:00 . 2009-04-21 11:39 2034688 ----a-w- c:\windows\system32\win32k.sys
2009-06-09 22:00 . 2009-04-23 12:14 623616 ----a-w- c:\windows\system32\localspl.dll
2009-06-09 21:59 . 2009-04-23 12:15 828416 ----a-w- c:\windows\system32\wininet.dll
2009-06-09 21:59 . 2009-04-24 16:02 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-09 21:59 . 2009-04-23 12:15 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-06-08 11:39 . 2009-06-08 11:39 -------- d-----w- c:\users\Majid\AppData\Local\ESET
2009-06-07 17:39 . 2009-06-07 17:39 -------- d-----w- c:\users\majid_riaz
2009-05-29 21:54 . 2009-05-29 21:54 -------- d-----w- c:\program files\DVD Decrypter
2009-05-27 02:39 . 2009-05-27 02:40 -------- d-----w- c:\windows\system32\ca-ES
2009-05-27 02:39 . 2009-05-27 02:40 -------- d-----w- c:\windows\system32\eu-ES
2009-05-27 02:39 . 2009-05-27 02:40 -------- d-----w- c:\windows\system32\vi-VN
2009-05-26 23:13 . 2009-05-26 23:13 -------- d-----w- c:\windows\system32\EventProviders
2009-05-26 23:10 . 2009-04-11 06:28 677376 ----a-w- c:\windows\system32\imapi2fs.dll
2009-05-26 23:09 . 2009-04-11 06:33 614376 ----a-w- c:\windows\system32\ci.dll
2009-05-26 23:08 . 2009-04-11 06:28 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2009-05-24 20:27 . 2009-06-10 01:38 -------- d-----w- c:\users\Majid\AppData\Roaming\foobar2000
2009-05-24 20:27 . 2009-05-24 21:20 -------- d-----w- c:\program files\foobar2000
2009-05-18 17:56 . 2008-05-27 04:59 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2009-05-18 16:25 . 2009-05-18 16:25 10134 ----a-r- c:\users\Majid\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-05-18 16:25 . 2009-05-18 16:25 -------- d-----w- c:\program files\Microsoft WSE
2009-05-18 16:25 . 2006-09-28 15:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-05-16 16:46 . 2009-05-16 16:46 -------- d-----w- C:\PerfLogs
2009-05-16 16:10 . 2008-01-19 07:29 705536 ----a-w- c:\windows\system32\imagesp1.dll
2009-05-16 16:10 . 2008-01-19 07:36 116736 ----a-w- c:\windows\system32\sstpsvc.dll
2009-05-16 16:10 . 2008-01-19 07:36 175104 ----a-w- c:\windows\system32\winrscmd.dll
2009-05-16 16:10 . 2008-01-19 07:34 69120 ----a-w- c:\windows\system32\iesetup.dll
2009-05-16 16:08 . 2008-01-19 07:42 56376 ----a-w- c:\windows\system32\drivers\dumpfve.sys
2009-05-16 16:07 . 2008-01-19 07:41 28216 ----a-w- c:\windows\system32\drivers\battc.sys
2009-05-16 16:06 . 2008-01-19 07:37 153600 ----a-w- c:\windows\system32\wmvdspa.dll
2009-05-16 16:05 . 2008-01-19 07:35 35328 ----a-w- c:\windows\system32\mspatcha.dll
2009-05-16 16:05 . 2008-01-19 07:34 305152 ----a-w- c:\windows\system32\msdelta.dll
2009-05-16 16:05 . 2008-01-19 07:34 258560 ----a-w- c:\windows\system32\dpx.dll
2009-05-16 16:05 . 2006-11-02 09:39 6656 ----a-w- c:\windows\system32\kbd106.dll
2009-05-16 14:56 . 2009-05-16 14:56 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-05-16 14:44 . 2009-05-16 14:44 -------- d-----w- c:\users\Majid\AppData\Roaming\Apple Computer
2009-05-16 14:44 . 2009-06-10 18:09 -------- dc----w- c:\windows\system32\DRVSTORE
2009-05-16 14:44 . 2009-05-16 14:44 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-16 14:34 . 2009-05-16 14:44 -------- d-----w- c:\users\Majid\AppData\Local\Apple Computer
2009-05-16 14:31 . 2009-05-16 14:44 -------- d-----w- c:\programdata\Apple Computer
2009-05-16 14:31 . 2009-05-16 14:32 -------- d-----w- c:\program files\QuickTime
2009-05-16 14:31 . 2009-05-16 14:31 -------- d-----w- c:\users\Majid\AppData\Local\Apple
2009-05-16 14:30 . 2009-05-16 14:30 -------- d-----w- c:\program files\QuickTime Pro 7.60.92 Windows XPVista
2009-05-16 13:53 . 2009-05-16 13:53 -------- d-----w- c:\users\Majid\AppData\Local\ACD Systems
2009-05-16 13:53 . 2009-05-16 13:53 -------- d-----w- c:\users\Majid\AppData\Roaming\ACD Systems
2009-05-16 13:52 . 2009-05-16 13:52 -------- d-----w- c:\programdata\ACD Systems
2009-05-16 13:52 . 2009-05-16 13:52 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-05-16 13:52 . 2009-05-16 13:52 -------- d-----w- c:\program files\ACD Systems
2009-05-16 13:50 . 2009-05-16 13:50 -------- d-----w- c:\users\Majid\AppData\Local\Downloaded Installations
2009-05-16 13:40 . 2009-05-16 13:41 -------- d-----w- c:\users\Majid\AppData\Local\Adobe
2009-05-16 13:39 . 2009-05-16 13:39 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-16 13:38 . 2009-05-16 13:39 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-16 13:21 . 2009-05-16 13:21 6656 ----a-w- c:\windows\system32\kbd106n.dll
2009-05-16 13:14 . 2009-05-16 15:28 -------- d-----w- c:\program files\Microsoft Works
2009-05-16 13:11 . 2009-05-16 13:11 -------- d-----w- c:\program files\Microsoft.NET
2009-05-16 13:07 . 2009-05-16 13:07 -------- d-----w- c:\users\Majid\AppData\Local\Microsoft Help
2009-05-16 13:07 . 2009-06-10 13:57 -------- d-----w- c:\programdata\Microsoft Help
2009-05-16 13:02 . 2009-05-16 13:02 -------- d--h--r- C:\MSOCache
2009-05-16 12:54 . 2009-05-16 12:54 -------- d-----w- c:\programdata\DAEMON Tools Lite
2009-05-16 12:54 . 2009-05-16 12:54 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-16 12:54 . 2009-05-16 12:54 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-05-16 12:51 . 2009-05-16 12:51 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-16 12:51 . 2009-05-16 12:57 -------- d-----w- c:\users\Majid\AppData\Roaming\DAEMON Tools Lite
2009-05-16 07:54 . 2009-06-11 14:45 -------- d-----w- c:\users\Majid\Tracing
2009-05-16 07:53 . 2009-05-16 07:53 -------- d-----w- c:\program files\Microsoft
2009-05-16 07:53 . 2009-05-16 07:53 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-05-16 07:53 . 2009-05-16 07:53 -------- d-----w- c:\program files\Windows Live
2009-05-16 07:52 . 2009-05-16 07:52 -------- d-----w- c:\windows\PCHEALTH
2009-05-16 03:30 . 2009-05-16 03:30 61440 ----a-w- c:\windows\system32\winipsec.dll
2009-05-16 03:30 . 2009-05-16 03:30 272896 ----a-w- c:\windows\system32\polstore.dll
2009-05-16 03:05 . 2009-05-16 03:05 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-05-16 02:45 . 2008-01-19 07:34 15872 ----a-w- c:\windows\system32\hcrstco.dll
2009-05-16 02:45 . 2006-11-02 09:46 8704 ----a-w- c:\windows\system32\hccoin.dll
2009-05-16 02:31 . 2009-05-16 02:31 9728 ----a-w- c:\windows\system32\lsass.exe
2009-05-16 02:26 . 2009-05-16 02:26 37888 ----a-w- c:\windows\system32\printcom.dll
2009-05-16 02:25 . 2009-05-16 02:25 14848 ----a-w- c:\windows\system32\wshrm.dll
2009-05-16 02:02 . 2009-05-16 02:02 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-05-16 01:48 . 2009-05-16 01:48 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-16 01:47 . 2009-05-16 01:47 84480 ----a-w- c:\windows\system32\INETRES.dll
2009-05-16 01:46 . 2009-06-10 14:56 -------- d-----w- c:\users\Majid\AppData\Roaming\uTorrent
2009-05-16 01:43 . 2009-05-16 01:43 -------- d-----w- c:\windows\system32\Macromed
2009-05-16 01:40 . 2009-05-16 01:40 2048 ----a-w- c:\windows\system32\msxml6r.dll
2009-05-16 01:39 . 2009-05-16 01:39 72704 ----a-w- c:\windows\system32\admparse.dll
2009-05-16 01:39 . 2009-05-16 01:39 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-05-16 01:26 . 2009-05-16 01:26 -------- d-----w- c:\users\Majid\AppData\Local\Cooliris
2009-05-16 01:17 . 2009-05-16 01:17 -------- d-----w- c:\program files\CCleaner
2009-05-16 01:12 . 2009-06-10 14:49 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-05-16 01:07 . 2005-08-25 18:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-05-16 01:07 . 2009-06-10 14:03 -------- d-----w- c:\program files\SpywareBlaster
2009-05-16 01:03 . 2009-05-16 01:03 -------- d-----w- c:\users\Majid\AppData\Roaming\Outertech
2009-05-16 01:02 . 2009-05-16 01:03 -------- d-----w- c:\program files\GetDiz
2009-05-16 00:59 . 2009-05-16 00:59 0 ----a-w- c:\windows\nsreg.dat
2009-05-16 00:59 . 2009-05-16 00:59 -------- d-----w- c:\users\Majid\AppData\Local\Mozilla
2009-05-16 00:38 . 2009-05-16 00:38 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-05-16 00:38 . 2009-05-16 00:38 43544 ----a-w- c:\windows\system32\wups2.dll
2009-05-16 00:38 . 2009-05-16 00:38 1524736 ----a-w- c:\windows\system32\wucltux.dll
2009-05-16 00:38 . 2009-05-16 00:38 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-05-16 00:37 . 2009-05-16 00:37 83456 ----a-w- c:\windows\system32\wudriver.dll
2009-05-16 00:37 . 2009-05-16 00:37 561688 ----a-w- c:\windows\system32\wuapi.dll
2009-05-16 00:37 . 2009-05-16 00:37 34328 ----a-w- c:\windows\system32\wups.dll
2009-05-16 00:37 . 2009-05-16 00:37 31232 ----a-w- c:\windows\system32\wuapp.exe
2009-05-16 00:37 . 2009-05-16 00:37 162064 ----a-w- c:\windows\system32\wuwebv.dll
2009-05-16 00:32 . 2008-03-03 17:21 568 ---ha-w- c:\windows\nod32fixtemdono.reg
2009-05-16 00:32 . 2008-03-03 13:25 5702 ---ha-w- c:\windows\nod32restoretemdono.reg
2009-05-16 00:25 . 2009-05-16 00:31 -------- d-----w- c:\program files\ESET
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 15:11 . 2009-05-16 01:25 169936 ----a-w- c:\users\Majid\AppData\Roaming\Mozilla\Firefox\Profiles\fzwe655r.default\FlashGot.exe
2009-06-10 15:56 . 2009-06-10 15:56 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-10 15:56 . 2009-06-10 15:56 -------- d-----w- c:\program files\Java
2009-05-27 02:41 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2009-05-27 02:41 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-27 02:41 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2009-05-27 02:41 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2009-05-27 02:41 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Journal
2009-05-27 02:41 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2009-05-27 02:41 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2009-05-27 02:39 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-05-19 13:14 . 2009-05-19 13:14 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-05-16 23:59 . 2009-05-16 23:59 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-05-16 18:19 . 2008-09-24 13:42 99864 ----a-w- c:\users\Majid\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-16 16:35 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-05-16 16:35 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-04-17 15:58 . 2009-05-16 01:25 103424 ----a-w- c:\users\Majid\AppData\Roaming\Mozilla\Firefox\Profiles\fzwe655r.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-04-17 15:58 . 2009-05-16 01:25 954368 ----a-w- c:\users\Majid\AppData\Roaming\Mozilla\Firefox\Profiles\fzwe655r.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-04-17 15:58 . 2009-05-16 01:25 344064 ----a-w- c:\users\Majid\AppData\Roaming\Mozilla\Firefox\Profiles\fzwe655r.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-04-17 15:58 . 2009-05-16 01:25 71652 ----a-w- c:\users\Majid\AppData\Roaming\Mozilla\Firefox\Profiles\fzwe655r.default\extensions\piclens@cooliris.com\libs\avutil-49.dll
2009-04-17 15:58 . 2009-05-16 01:25 4579328 ----a-w- c:\users\Majid\AppData\Roaming\Mozilla\Firefox\Profiles\fzwe655r.default\extensions\piclens@cooliris.com\libs\cooliris18.dll
2009-04-17 15:58 . 2009-05-16 01:25 4534272 ----a-w- c:\users\Majid\AppData\Roaming\Mozilla\Firefox\Profiles\fzwe655r.default\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-04-17 15:58 . 2009-05-16 01:25 131868 ----a-w- c:\users\Majid\AppData\Roaming\Mozilla\Firefox\Profiles\fzwe655r.default\extensions\piclens@cooliris.com\libs\avformat-52.dll
2009-04-17 15:58 . 2009-05-16 01:25 65536 ----a-w- c:\users\Majid\AppData\Roaming\Mozilla\Firefox\Profiles\fzwe655r.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-04-17 15:58 . 2009-05-16 01:25 1161626 ----a-w- c:\users\Majid\AppData\Roaming\Mozilla\Firefox\Profiles\fzwe655r.default\extensions\piclens@cooliris.com\libs\avcodec-51.dll
2009-04-11 06:33 . 2009-05-26 23:10 986600 ----a-w- c:\windows\system32\winload.exe
2009-04-11 06:33 . 2009-05-26 23:09 926184 ----a-w- c:\windows\system32\winresume.exe
2009-04-11 06:33 . 2009-05-26 23:09 292840 ----a-w- c:\windows\system32\drivers\volmgrx.sys
2009-04-11 06:33 . 2009-05-26 23:10 897000 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-04-11 06:28 . 2009-05-26 23:09 56320 ----a-w- c:\windows\system32\xmlfilter.dll
2009-04-11 06:27 . 2009-05-26 23:10 441344 ----a-w- c:\windows\system32\SearchIndexer.exe
2009-04-11 06:22 . 2009-05-26 23:08 7168 ----a-w- c:\windows\system32\f3ahvoas.dll
2009-04-11 06:21 . 2009-05-26 23:08 37376 ----a-w- c:\windows\system32\cdd.dll
2009-04-11 05:42 . 2009-05-26 23:08 93696 ----a-w- c:\windows\system32\drivers\bridge.sys
2009-04-11 05:03 . 2009-05-26 23:11 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-04-11 05:03 . 2009-05-26 23:11 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2009-04-11 04:57 . 2009-05-26 23:08 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-04-11 04:54 . 2009-05-26 23:08 2048 ----a-w- c:\windows\system32\mferror.dll
2009-04-11 04:52 . 2009-05-26 23:08 248320 ----a-w- c:\windows\system32\drivers\rdpdr.sys
2009-04-11 04:51 . 2009-05-26 23:08 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2009-04-11 04:47 . 2009-05-26 23:08 273920 ----a-w- c:\windows\system32\drivers\afd.sys
2009-04-11 04:46 . 2009-05-26 23:08 69120 ----a-w- c:\windows\system32\drivers\rassstp.sys
2009-04-11 04:46 . 2009-05-26 23:08 121344 ----a-w- c:\windows\system32\drivers\ndiswan.sys
2009-04-11 04:46 . 2009-05-26 23:08 41472 ----a-w- c:\windows\system32\drivers\raspppoe.sys
2009-04-11 04:46 . 2009-05-26 23:08 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2009-04-11 04:46 . 2009-05-26 23:08 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2009-04-11 04:46 . 2009-05-26 23:08 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-04-11 04:45 . 2009-05-26 23:08 72192 ----a-w- c:\windows\system32\drivers\tdx.sys
2009-04-11 04:45 . 2009-05-26 23:08 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-04-11 04:45 . 2009-05-26 23:09 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2009-04-11 04:45 . 2009-05-26 23:09 401408 ----a-w- c:\windows\system32\drivers\http.sys
2009-04-11 04:45 . 2009-05-26 23:08 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2009-04-11 04:45 . 2009-05-26 23:08 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2009-04-11 04:43 . 2009-05-26 23:08 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-04-11 04:43 . 2009-05-26 23:09 196096 ----a-w- c:\windows\system32\drivers\usbhub.sys
2009-04-11 04:43 . 2009-05-26 23:08 62208 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2009-04-11 04:43 . 2009-05-26 23:09 236544 ----a-w- c:\windows\system32\drivers\HdAudio.sys
2009-04-11 04:42 . 2009-05-26 23:09 226304 ----a-w- c:\windows\system32\drivers\usbport.sys
2009-04-11 04:42 . 2009-05-26 23:08 25856 ----a-w- c:\windows\system32\drivers\USBCAMD2.sys
2009-04-11 04:42 . 2009-05-26 23:08 25856 ----a-w- c:\windows\system32\drivers\USBCAMD.sys
2009-04-11 04:42 . 2009-05-26 23:08 73216 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-04-11 04:42 . 2009-05-26 23:09 39936 ----a-w- c:\windows\system32\drivers\usbehci.sys
2009-04-11 04:42 . 2009-05-26 23:08 19456 ----a-w- c:\windows\system32\drivers\usbohci.sys
2009-04-11 04:42 . 2009-05-26 23:08 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2009-04-11 04:42 . 2009-05-26 23:08 12800 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-04-11 04:42 . 2009-05-26 23:08 39424 ----a-w- c:\windows\system32\drivers\hidclass.sys
2009-04-11 04:42 . 2009-05-26 23:08 52992 ----a-w- c:\windows\system32\drivers\stream.sys
2009-04-11 04:42 . 2009-05-26 23:11 561152 ----a-w- c:\windows\system32\drivers\hdaudbus.sys
2009-04-11 04:39 . 2009-05-26 23:08 16384 ----a-w- c:\windows\system32\iscsilog.dll
2009-04-11 04:39 . 2009-05-26 23:08 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2009-04-11 04:39 . 2009-05-26 23:08 19456 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2009-04-11 04:38 . 2009-05-26 23:09 149504 ----a-w- c:\windows\system32\drivers\ks.sys
2009-04-11 04:27 . 2009-05-26 23:08 2560 ----a-w- c:\windows\system32\msimsg.dll
2009-04-11 04:23 . 2009-05-26 23:10 626176 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-04-11 04:23 . 2009-05-26 23:08 76288 ----a-w- c:\windows\system32\drivers\dxg.sys
2009-04-11 04:23 . 2009-05-26 23:08 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-04-11 04:22 . 2009-05-26 23:08 33280 ----a-w- c:\windows\system32\drivers\watchdog.sys
2009-04-11 04:19 . 2009-05-26 23:08 89088 ----a-w- c:\windows\system32\drivers\sdbus.sys
2009-04-11 04:15 . 2009-05-26 23:09 288768 ----a-w- c:\windows\system32\drivers\srv.sys
2009-04-11 04:15 . 2009-05-26 23:09 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-04-11 04:15 . 2009-05-26 23:09 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-04-11 04:14 . 2009-05-26 23:09 351744 ----a-w- c:\windows\system32\drivers\csc.sys
2009-04-11 04:14 . 2009-05-26 23:09 114688 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2009-04-11 04:14 . 2009-05-26 23:09 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-04-11 04:14 . 2009-05-26 23:09 225280 ----a-w- c:\windows\system32\drivers\rdbss.sys
2009-04-11 04:14 . 2009-05-26 23:09 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2009-04-11 04:14 . 2009-05-26 23:09 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-04-11 04:14 . 2009-05-26 23:08 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2009-04-11 04:14 . 2009-05-26 23:08 35328 ----a-w- c:\windows\system32\drivers\npfs.sys
2009-04-11 04:13 . 2009-05-26 23:08 226816 ----a-w- c:\windows\system32\drivers\udfs.sys
2009-04-11 04:13 . 2009-05-26 23:08 136704 ----a-w- c:\windows\system32\drivers\exfat.sys
2009-04-11 04:13 . 2009-05-26 23:08 142848 ----a-w- c:\windows\system32\drivers\fastfat.sys
2009-04-11 04:12 . 2009-05-26 23:09 617984 ----a-w- c:\windows\system32\adtschema.dll
2009-04-11 02:52 . 2009-05-26 23:11 684032 ----a-w- c:\windows\system32\drivers\spsys.sys
2009-04-11 01:59 . 2009-05-26 23:10 107612 ----a-w- c:\windows\system32\StructuredQuerySchema.bin
2009-03-30 04:42 . 2009-05-26 23:10 278848 ----a-w- c:\windows\system32\mscoree.dll
2009-03-30 04:42 . 2009-05-26 23:09 93512 ----a-w- c:\windows\system32\dfshim.dll
2009-03-30 04:42 . 2009-05-26 23:09 80720 ----a-w- c:\windows\system32\mscories.dll
2009-03-30 04:42 . 2009-05-26 23:09 155456 ----a-w- c:\windows\system32\mscorier.dll
2006-11-22 14:58 . 2006-11-22 14:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnhancedStorageShell]
@="{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}"
[HKEY_CLASSES_ROOT\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}]
2009-04-11 06:28 114176 ----a-w- c:\windows\System32\EhStorShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-10 148888]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"BindDirectlyToPropertySetStorage"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):33,2c,f5,7b,75,de,c9,01
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4201862066-2541551795-1737911188-1000]
"EnableNotificationsRef"=dword:00000002
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
R1 epfwtdir;epfwtdir;c:\windows\System32\drivers\epfwtdir.sys [20/02/2008 11:11 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [20/02/2008 11:08 472320]
R3 b57nd60x;%SvcDispName%;c:\windows\System32\drivers\b57nd60x.sys [16/05/2009 17:09 179712]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\System32\regedt32.exe [02/11/2006 09:32 9216]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Majid\AppData\Roaming\Mozilla\Firefox\Profiles\fzwe655r.default\
FF - prefs.js: browser.search.selectedEngine - DramaWiki (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.ftp - proxy.sap.hokkyodai.ac.jp
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy.sap.hokkyodai.ac.jp
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.socks - proxy.sap.hokkyodai.ac.jp
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxy.sap.hokkyodai.ac.jp
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - component: c:\users\Majid\AppData\Roaming\Mozilla\Firefox\Profiles\fzwe655r.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 16:56
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.032"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.abr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.abr"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ani\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ani"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.arw"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.bay"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.bmp"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.bw"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.cr2"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.crw"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.cs1"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cur\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.cur"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.dcr"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.dcx"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.dib"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.djv"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.djvu"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.dng"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.emf"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.eps"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.erf"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.fff"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.fpx"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.gif"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.hdr"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.icl"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.icn"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.iff"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ilbm"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.int"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.inta"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.iw4"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.j2c"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.j2k"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jbr"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jfif"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jif"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jp2"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpc"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpe"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpeg"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpg"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpk"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpx"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.kdc"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.lbm"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.mef"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.mos"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.mrw"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.nef"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.orf"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pbm"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pbr"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pcd"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pct"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pcx"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pef"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pgm"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pic"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pict"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pix"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.png"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ppm"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.psd"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.psp"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspbrush\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pspbrush"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pspimage"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.raf"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ras"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.raw"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rgb"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rgba"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rle"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rsb"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rw2"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.sgi"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.sr2"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.srf"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.tga"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.thm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.thm"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.tif"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.tiff"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ttc"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ttf"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11o\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.v11o"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11p\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.v11p"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11pf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.v11pf"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.wbm"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.wbmp"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.wmf"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.xbm"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.xif"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.xmp"
[HKEY_USERS\S-1-5-21-4201862066-2541551795-1737911188-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.xpm"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\relog_ap.dll
.
Completion time: 2009-06-11 16:58
ComboFix-quarantined-files.txt 2009-06-11 15:57
Pre-Run: 5,709,209,600 bytes free
Post-Run: 5,633,122,304 bytes free
586 --- E O F --- 2009-06-10 13:58
pskelley
2009-06-11, 18:20
Good job:bigthumb: that's the nasty stuff causing the problems, have a look:
http://en.wikipedia.org/wiki/Rootkit
http://searchmidmarketsecurity.techtarget.com/sDefinition/0,,sid198_gci547279,00.html
Let's continue carefully like this:
1) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/
http://www.besttechie.net/mbam/mbam-setup.exe <<< download
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html
2) Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Thanks
Malwarebytes Log:
Malwarebytes' Anti-Malware 1.37
Database version: 2262
Windows 6.0.6002 Service Pack 2
11/06/2009 18:34:17
mbam-log-2009-06-11 (18-34-16).txt
Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 177491
Time elapsed: 1 hour(s), 5 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
f:\Media\setup files\ahead nerovision express v3.0.1.18\Keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:39:08, on 11/06/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
--
End of file - 2836 bytes
Uninstall List
ACDSee Photo Manager 2009
Acrobat.com
AcronisTrueImageHome
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.1
CCleaner (remove only)
Choice Guard
Combined Community Codec Pack 2008-09-21 16:18
DVD Decrypter (Remove Only)
ERUNT 1.1j
ESET NOD32 Antivirus
foobar2000 v0.9.5.2
GetDiz 4.5
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java(TM) 6 Update 13
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft WSE 3.0 Runtime
Mozilla Firefox (3.0.10)
MSVCRT
NOD32 v3.0.642 FiX1.2 by TemDono (31 days remaining forever up
QuickTime
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
SpywareBlaster 4.2
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb970012)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinRAR archiver
pskelley
2009-06-11, 20:44
1) f:\Media\setup files\ahead nerovision express v3.0.1.18\Keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
http://forums.spybot.info/showpost.php?p=25290&postcount=4 <<< see this
2) Run DISK CLEANUP: ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > DISK CLEANUP
3) Get maximum performance from Windows Vista
http://windowshelp.microsoft.com/windows/en-us/Help/596FB57F-CC9D-4AC5-A813-5C0830E9156A1033.mspx
How is the computer running?
Thanks
I apologise for the offending file (Ahead Nerovision Express), and it has been deleted. I also ran disk cleanup on all drives.
Google searches are no longer redirecting and are working fine. Should I install Spybot S&D now?
pskelley
2009-06-11, 21:16
Let's wrap up like this:
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, keep it updated and run it once a month or so)
Update NOD32 Antivirus and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
If all is well at this point, let me know and I will close the topic.
All information may not apply to Windows Vista:
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
How hard are your passwords to crack?
http://www.microsoft.com/protect/yourself/password/checker.mspx
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx
Uninstalled ComboFix without any problems.
Updated MBAM and ran another full scan. Everything clean.
Updated NOD32 Antivirus and ran a full scan. Everything clean.
Will be keeping MBAM as it seems like a very thorough program. Also will install Spybot S&D and a free firewall (which I didn't have before).
All in all, everything seems fine and no apparent traces of malware or nasty viruses. Thanks for all your help, pskelley. I really do appreciate all your kind and speedy help with this!
pskelley
2009-06-12, 00:06
Thanks for taking the time to let me know:bigthumb: safe surfing.