View Full Version : Cannot install MalwareBytes (WinPC problem)
stephen_g
2009-06-15, 10:40
Hi,
I have a machine infected with WinPC Defender.
I am unable to install Malwarebytes (I get the egg timer briefly then nothing).
Similarly I cannot run Spybot Search and Destroy (I get the egg timer briefly then nothing).
Here is the HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:13:49, on 14/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\tom\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PrnSys Executable] C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [Loaris Trojan Remover] "C:\Program Files\Loaris Trojan Remover\TrojanRemover.exe" 0
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSYYYYYYYYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 10792 bytes
Can anyone advise please.
Regards
Stephen
Bio-Hazard
2009-06-15, 14:47
Hello and Welcome to forums!
My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.
No Reply Within 5 Days Will Result In Your Topic Being Closed!!
Bio-Hazard
2009-06-15, 14:52
STEP 1
Download DDS
Please download DDS by sUBs from one of the links below and save it to your desktop:
http://img.photobucket.com/albums/v666/sUBs/dds_scr.gif
Download DDS and save it to your desktop from:
Link1 (http://www.techsupportforum.com/sectools/sUBs/dds)
Link2 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link3 (http://www.forospyware.com/sUBs/dds)
Please disable any anti-malware program that will block scripts from running before running DDS.
Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
DDS.txt
Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply
STEP 2
RootRepeal - Rootkit Detector
Download RootRepeal.zip (http://rootrepeal.googlepages.com/RootRepeal.zip) and unzip it to your Desktop.
Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Clickthe Scan button
In the Select Scan dialog, check:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan
The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program
Next Reply
Please reply with:
DDS.txt
Attach.txt
RootRepeal.txt
stephen_g
2009-06-16, 22:33
Hi,
Thanks fpr your help with this.
I was unable to run DDS, I got the first screen telling me that the scan should take no longer than three minutes etc, but then nothing happened and no reports were generated.
When I tried to run RootRepeal, I initially got an error "Invalid PE Image Found", I clicked on OK, the scan commenced, but part way through the process there was another error message "Attempt to read from address 0x00b43004" then the program terminated.
Regards
Stephen
stephen_g
2009-06-17, 00:46
Hi Again!,
After a couple of further attempts I have now managed to produce the logs, here they are.
DDS (Ver_09-05-14.01) - NTFSx86
Run by tom at 20:39:08.67 on 16/06/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.263 [GMT 1:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
svchost.exe
C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\tom\Application Data\Google\uqrke8412012.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\DOCUME~1\tom\LOCALS~1\Temp\Google Toolbar\gtb4.tmp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\tom\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: SFCDisable=4 (0x4)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\windows\system32\WSBar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {119DBEDA-9C41-4F97-94B4-B6BCD01133CF} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
uRun: [Loaris Trojan Remover] "c:\program files\loaris trojan remover\TrojanRemover.exe" 0
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PrnSys Executable] c:\program files\hp\digital imaging\hp print screen\PrnSys.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
mRun: [realteks] "c:\documents and settings\tom\application data\google\uqrke8412012.exe" 2
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSYYYYYYYYGB
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Chess - hxxp://download2.games.yahoo.com/games/clients/y/ct5_x.cab
DPF: Yahoo! Pool 2 - hxxp://download2.games.yahoo.com/games/clients/y/poti_x.cab
DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/B/E/5BE645ED-2F2D-4E4D-9C54-AFB56EFCB312/LegitCheckControl.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll
LSA: Authentication Packages = msv1_0 c:\\windows\\system32\\vturr
================= FIREFOX ===================
FF - ProfilePath -
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-11 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-11 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-11 108552]
R2 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2006-10-11 8768]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-11 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-29 298776]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [1980-1-1 24608]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [2007-7-29 20160]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-3-7 29744]
S4 vsdatant;vsdatant; [x]
=============== Created Last 30 ================
2009-06-16 20:11 359,893 ac------ C:\dds.scr
2009-06-16 20:11 359,893 ac------ C:\dds.pif
2009-06-16 20:11 359,893 ac------ C:\dds.com
2009-06-14 17:33 14,568 a------- c:\windows\system32\drivers\wg3n.sys
2009-06-14 17:33 60,496 a------- c:\windows\system32\drivers\Teefer.sys
2009-06-14 17:33 21,075 a------- c:\windows\system32\drivers\wpsdrvnt.sys
2009-06-14 17:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-14 16:27 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-02 21:43 <DIR> --d----- c:\program files\Loaris Trojan Remover
2009-06-02 20:20 83,096 a------- c:\windows\system32\SSSensor.dll
2009-06-02 20:20 <DIR> --d----- c:\program files\Sygate
==================== Find3M ====================
2009-06-12 10:55 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-26 15:11 174 a------- c:\docume~1\tom\applic~1\asd.bat
2009-05-11 10:11 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-11 10:10 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 05:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 05:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 05:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 05:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 05:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-29 05:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-29 05:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 05:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 05:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 10:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 10:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 06:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 06:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 13:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-16 12:43 67 ac------ C:\New Project.dat
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 15:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2007-10-05 12:12 823,404 ---sh--- c:\windows\system32\bdeeg.bak1
2007-10-02 22:23 812,810 ---sh--- c:\windows\system32\knnmp.bak1
2007-10-04 22:32 819,429 ---sh--- c:\windows\system32\knnmp.bak2
2007-10-10 13:47 574,749 ---sh--- c:\windows\system32\rrutv.bak2
2008-10-31 11:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008103120081101\index.dat
============= FINISH: 20:43:28.10 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-05-14.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 27/12/2005 14:11:54
System Uptime: 16/06/2009 20:21:19 (0 hours ago)
Processor: Intel(R) Celeron(R) CPU 2.66GHz | Socket 478 | 2680/133mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 70 GiB total, 51.476 GiB free.
D: is CDROM ()
E: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP571: 12/03/2009 15:12:43 - Software Distribution Service 3.0
RP572: 16/03/2009 18:57:19 - System Checkpoint
RP573: 17/03/2009 10:42:58 - Software Distribution Service 3.0
RP574: 18/03/2009 18:31:47 - Avg8 Update
RP575: 22/03/2009 11:33:01 - System Checkpoint
RP576: 27/03/2009 09:41:44 - Avg8 Update
RP577: 06/04/2009 16:54:11 - System Checkpoint
RP578: 09/04/2009 10:29:38 - System Checkpoint
RP579: 15/04/2009 12:21:17 - Software Distribution Service 3.0
RP580: 16/04/2009 12:24:33 - Avg8 Update
RP581: 25/04/2009 12:08:01 - Installed Java(TM) 6 Update 13
RP582: 29/04/2009 11:00:37 - Software Distribution Service 3.0
RP583: 01/05/2009 16:29:56 - System Checkpoint
RP584: 06/05/2009 18:46:45 - Installed Connect Service
RP585: 07/05/2009 18:51:38 - System Checkpoint
RP586: 08/05/2009 22:28:03 - System Checkpoint
RP587: 11/05/2009 10:08:08 - Avg8 Update
RP588: 11/05/2009 10:12:01 - Avg8 Update
RP589: 13/05/2009 15:59:07 - Software Distribution Service 3.0
RP590: 16/05/2009 11:30:35 - Restore Operation
RP591: 17/05/2009 10:40:39 - Avg8 Update
RP592: 17/05/2009 11:26:44 - Installed Microsoft AntiSpyware
RP593: 20/05/2009 09:25:37 - Avg8 Update
RP594: 20/05/2009 09:27:53 - Avg8 Update
RP595: 26/05/2009 17:30:10 - System Checkpoint
RP596: 09/06/2009 00:21:51 - System Checkpoint
==== Installed Programs ======================
==== Event Viewer Messages From Past Week ========
16/06/2009 20:18:58, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip wpsdrvnt WS2IFSL
16/06/2009 20:18:57, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
16/06/2009 20:18:57, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
16/06/2009 20:18:57, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
16/06/2009 20:18:57, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
16/06/2009 20:18:57, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
16/06/2009 20:18:57, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
14/06/2009 17:33:38, error: Service Control Manager [7000] - The Motorola SURFboard USB Cable Modem Windows Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
14/06/2009 17:33:38, error: Service Control Manager [7000] - The Microsoft TV/Video Connection service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
14/06/2009 17:33:37, error: Service Control Manager [7000] - The Bluetooth Device (Personal Area Network) service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
14/06/2009 17:33:37, error: Service Control Manager [7000] - The %ADM8511.Service.DispName% service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
14/06/2009 17:20:40, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
14/06/2009 16:23:59, error: Service Control Manager [7034] - The ArcSoft Connect Daemon service terminated unexpectedly. It has done this 1 time(s).
14/06/2009 16:23:47, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
14/06/2009 16:23:28, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
14/06/2009 16:22:49, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
14/06/2009 16:22:20, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
14/06/2009 16:22:14, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
14/06/2009 16:01:07, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
14/06/2009 15:57:08, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
14/06/2009 15:56:45, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
14/06/2009 15:53:39, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
==== End Of File ===========================
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Time: 2009/06/16 20:46
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1F17000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7CDE000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0909000 Size: 49152 File Visible: No Signed: -
Status: -
Name: UACxrmbpxeooqxmhwu.sys
Image Path: C:\WINDOWS\system32\drivers\UACxrmbpxeooqxmhwu.sys
Address: 0xF2EA2000 Size: 77824 File Visible: - Signed: -
Status: Hidden from Windows API!
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\WINDOWS\system32\UACbwaqcmxehatlrkc.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACcvamdrvnfdtkolq.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACcxcqecmkeicvmky.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACcxvtcratgetmscn.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACdljiokilbkjbwwy.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACdxuvmjgsblijjmw.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACdyqxhfrxcegxdyr.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACetgnmvbemharkkw.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACproc.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACpxrnirdqurqfdsq.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACqepxqidnskaccgt.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACqioxxgvynbbiyuu.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACtwhxurvivknpulk.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACuihsyvmuwfjxgor.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACuqvvvydslrvikal.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACvbexujxlspbytph.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACvipioiefrwapcny.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACwnoernthewrbrmh.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACxwewbbfbhqvvnip.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACyabwemydktuwehq.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACftpiqeymxfxjlnb.dat
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACfwowfkrxlllaylf.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACfwowxcmdvpvwauh.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACjlkxqircqfigfjp.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACmiiovmwcbvplwmy.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACmjyierxtneojoou.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACobqmnrbfgoivxer.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\UACpbcrcvgxgxivppn.log
Status: Invisible to the Windows API!
Path: C:\WINDOWS\Temp\UAC233d.tmp
Status: Invisible to the Windows API!
Path: C:\WINDOWS\Temp\UAC5f90.tmp
Status: Invisible to the Windows API!
Path: C:\WINDOWS\Temp\UACb621.tmp
Status: Invisible to the Windows API!
Path: c:\windows\temp\perflib_perfdata_3b4.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: C:\WINDOWS\system32\drivers\UACxrmbpxeooqxmhwu.sys
Status: Invisible to the Windows API!
Path: C:\Documents and Settings\tom\Local Settings\Temp\UAC683b.tmp
Status: Invisible to the Windows API!
Processes
-------------------
Path: C:\Documents and Settings\tom\Application Data\Google\uqrke8412012.exe
PID: 152 Status: Hidden from the Windows API!
Stealth Objects
-------------------
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: winlogon.exe (PID: 508) Address: 0x00670000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: winlogon.exe (PID: 508) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: services.exe (PID: 556) Address: 0x00690000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: services.exe (PID: 556) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: lsass.exe (PID: 568) Address: 0x006c0000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: lsass.exe (PID: 568) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 720) Address: 0x00780000 Size: 49152
Object: Hidden Module [Name: UAC5f90.tmpfkrxlllaylf.dll]
Process: svchost.exe (PID: 720) Address: 0x00a90000 Size: 200704
Object: Hidden Module [Name: UACyabwemydktuwehq.dll]
Process: svchost.exe (PID: 720) Address: 0x00b80000 Size: 69632
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 720) Address: 0x00d20000 Size: 45056
Object: Hidden Module [Name: UACfwowfkrxlllaylf.dll]
Process: svchost.exe (PID: 720) Address: 0x02aa0000 Size: 200704
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 720) Address: 0x02c20000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 720) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACmiiovmwcbvplwmy.dll]
Process: svchost.exe (PID: 720) Address: 0x02cc0000 Size: 53248
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 796) Address: 0x00780000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 796) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 912) Address: 0x00780000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 912) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: smc.exe (PID: 964) Address: 0x00f90000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: smc.exe (PID: 964) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 1068) Address: 0x00780000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 1068) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 1196) Address: 0x00780000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 1196) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: spoolsv.exe (PID: 1320) Address: 0x00a20000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: spoolsv.exe (PID: 1320) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 1400) Address: 0x00780000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 1400) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: ACService.exe (PID: 1484) Address: 0x00820000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: ACService.exe (PID: 1484) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: Explorer.EXE (PID: 1692) Address: 0x00ca0000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: Explorer.EXE (PID: 1692) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: AOLacsd.exe (PID: 1724) Address: 0x00ac0000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: AOLacsd.exe (PID: 1724) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: AppleMobileDeviceService.exe (PID: 1784) Address: 0x00700000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: AppleMobileDeviceService.exe (PID: 1784) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: avgwdsvc.exe (PID: 1860) Address: 0x00730000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: avgwdsvc.exe (PID: 1860) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: mDNSResponder.exe (PID: 1896) Address: 0x00740000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: mDNSResponder.exe (PID: 1896) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: ctfmon.exe (PID: 1912) Address: 0x00930000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: ctfmon.exe (PID: 1912) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: avgtray.exe (PID: 1956) Address: 0x00d00000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: avgtray.exe (PID: 1956) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: QTTask.exe (PID: 1968) Address: 0x00b00000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: QTTask.exe (PID: 1968) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 1976) Address: 0x00780000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 1976) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: PrnSys.exe (PID: 1984) Address: 0x00b30000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: PrnSys.exe (PID: 1984) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: rundll32.exe (PID: 1996) Address: 0x00a20000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: rundll32.exe (PID: 1996) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: ACDaemon.exe (PID: 2004) Address: 0x00ce0000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: ACDaemon.exe (PID: 2004) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: iTunesHelper.exe (PID: 2020) Address: 0x00bd0000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: iTunesHelper.exe (PID: 2020) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: realsched.exe (PID: 2036) Address: 0x00a90000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: realsched.exe (PID: 2036) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: jusched.exe (PID: 2044) Address: 0x00ce0000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: jusched.exe (PID: 2044) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: GoogleToolbarNotifier.exe (PID: 204) Address: 0x00a70000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: GoogleToolbarNotifier.exe (PID: 204) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: TeaTimer.exe (PID: 188) Address: 0x011c0000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: TeaTimer.exe (PID: 188) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: EasyShare.exe (PID: 232) Address: 0x009e0000 Size: 49152
Object: Hidden Module [Name: msvcm80.dll]
Process: EasyShare.exe (PID: 232) Address: 0x052f0000 Size: 507904
Object: Hidden Module [Name: ESCliWicMDRW.esx]
Process: EasyShare.exe (PID: 232) Address: 0x05030000 Size: 761856
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: EasyShare.exe (PID: 232) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: jqs.exe (PID: 948) Address: 0x00710000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: jqs.exe (PID: 948) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: svchost.exe (PID: 1240) Address: 0x00780000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: svchost.exe (PID: 1240) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: avgemc.exe (PID: 2136) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: avgemc.exe (PID: 2136) Address: 0x00a60000 Size: 49152
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: avgrsx.exe (PID: 2200) Address: 0x00760000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: avgrsx.exe (PID: 2200) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: avgnsx.exe (PID: 2208) Address: 0x00780000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: avgnsx.exe (PID: 2208) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: avgcsrvx.exe (PID: 2448) Address: 0x00a10000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: avgcsrvx.exe (PID: 2448) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: wmiprvse.exe (PID: 2924) Address: 0x007c0000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: wmiprvse.exe (PID: 2924) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: WLLoginProxy.exe (PID: 2292) Address: 0x00980000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: WLLoginProxy.exe (PID: 2292) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: RootRepeal.exe (PID: 1212) Address: 0x00f10000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: RootRepeal.exe (PID: 1212) Address: 0x10000000 Size: 45056
Object: Hidden Module [Name: UACwnoernthewrbrmh.dll]
Process: Iexplore.exe (PID: 3668) Address: 0x00b30000 Size: 49152
Object: Hidden Module [Name: UACxwewbbfbhqvvnip.dll]
Process: Iexplore.exe (PID: 3668) Address: 0x10000000 Size: 45056
Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACxrmbpxeooqxmhwu.sys
==EOF==
Thanks again
Stephen
Bio-Hazard
2009-06-17, 20:06
Download and Run ComboFix
ComboFix SHOULD NOT be used unless requested by a forum helper.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE (http://www.bleepingcomputer.com/forums/topic114351.html)
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
Double click on Combo-Fix.exe and follow the prompts.
When finished, it will produce a report for you (C:\ComboFix.txt )
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.
Next Reply
Please reply with:
ComboFix log (found at C:\Combofix.txt)
New HijackThis log
stephen_g
2009-06-20, 19:27
Hi,
Here is the Combo-Fix log and the new HijackThis log.
Thanks for your help.
ComboFix 09-06-19.01 - tom 20/06/2009 16:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.427 [GMT 1:00]
Running from: c:\documents and settings\tom\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\windows adstatus
c:\recycler\S-1-5-21-2901695491-106716456-3498302183-1003
c:\windows\system32\drivers\UACxrmbpxeooqxmhwu.sys
c:\windows\system32\UACdkpxoarrphpxngs.log
c:\windows\system32\UACftpiqeymxfxjlnb.dat
c:\windows\system32\UACfwowfkrxlllaylf.dll
c:\windows\system32\UACkopwxvirgkcmjuv.log
c:\windows\system32\UACmiiovmwcbvplwmy.dll
c:\windows\system32\UACuqvvvydslrvikal.log
c:\windows\system32\UACwnoernthewrbrmh.dll
c:\windows\system32\UACxwewbbfbhqvvnip.dll
c:\windows\system32\UACyabwemydktuwehq.dll
C:\check_LSA7.txt
C:\dds.pif
c:\documents and settings\tom\Application Data\Google\Shell32.dll
c:\documents and settings\tom\Application Data\Google\uqrke8412012.exe
c:\program files\FunWebProducts\PopSwatr\History\allowed
c:\program files\FunWebProducts\PopSwatr\History\notallow
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\recycler\S-1-5-21-2901695491-106716456-3498302183-1003\desktop.ini
c:\recycler\S-1-5-21-2901695491-106716456-3498302183-1003\INFO2
c:\windows\cookies.ini
c:\windows\system32\bdeeg.bak1
c:\windows\system32\bdeeg.tmp
c:\windows\system32\drivers\UACxrmbpxeooqxmhwu.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\knnmp.bak1
c:\windows\system32\knnmp.bak2
c:\windows\system32\ppuuhaal.ini
c:\windows\system32\regscan.exe
c:\windows\system32\rrutv.bak2
c:\windows\system32\rrutv.ini
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\UACdkpxoarrphpxngs.log
c:\windows\system32\UACftpiqeymxfxjlnb.dat
c:\windows\system32\UACfwowfkrxlllaylf.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkopwxvirgkcmjuv.log
c:\windows\system32\UACmiiovmwcbvplwmy.dll
c:\windows\system32\UACuqvvvydslrvikal.log
c:\windows\system32\UACwnoernthewrbrmh.dll
c:\windows\system32\UACxwewbbfbhqvvnip.dll
c:\windows\system32\UACyabwemydktuwehq.dll
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-05-20 to 2009-06-20 )))))))))))))))))))))))))))))))
.
2009-06-16 19:46 . 2009-06-16 19:46 0 ----a-w- c:\documents and settings\tom\settings.dat
2009-06-16 19:11 . 2009-06-15 14:05 359893 -c--a-w- C:\dds.scr
2009-06-16 19:11 . 2009-06-15 14:06 359893 -c--a-w- C:\dds.com
2009-06-16 19:03 . 2009-06-16 19:03 0 ----a-w- c:\documents and settings\Administrator\settings.dat
2009-06-14 16:33 . 2004-10-15 17:32 14568 ----a-w- c:\windows\system32\drivers\wg3n.sys
2009-06-14 16:33 . 2004-10-15 17:18 21075 ----a-w- c:\windows\system32\drivers\wpsdrvnt.sys
2009-06-14 16:33 . 2004-10-15 17:17 60496 ----a-w- c:\windows\system32\drivers\Teefer.sys
2009-06-14 16:00 . 2009-06-14 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-14 15:27 . 2009-06-14 16:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-14 14:58 . 2009-06-14 14:58 -------- d-----w- c:\program files\ERUNT
2009-06-08 20:02 . 2009-06-08 20:06 -------- d-----w- c:\documents and settings\cynth\Local Settings\Application Data\Adobe
2009-06-02 20:43 . 2009-06-08 19:39 -------- d-----w- c:\program files\Loaris Trojan Remover
2009-06-02 19:20 . 2004-10-15 17:32 83096 ----a-w- c:\windows\system32\SSSensor.dll
2009-06-02 19:20 . 2009-06-02 19:20 -------- d-----w- c:\program files\Sygate
2009-05-30 17:25 . 2009-05-30 17:25 66560 ----a-w- c:\windows\system32\UACobqmnrbfgoivxer.dll
2009-05-30 17:22 . 2009-05-30 17:22 422 ----a-w- c:\documents and settings\tom\Application Data\Apple Computer\socks1.exe
2009-05-30 17:22 . 2009-05-30 17:22 16141 ----a-w- c:\documents and settings\tom\Application Data\CyberLink\lego.exe
2009-05-30 17:22 . 2009-05-30 17:22 145131 ----a-w- c:\documents and settings\tom\Application Data\ArcSoft\nomad.exe
2009-05-30 17:22 . 2009-05-30 17:22 13221 ----a-w- c:\documents and settings\tom\Application Data\AdobeUM\rengo.dll
2009-05-30 17:22 . 2009-05-30 17:22 11410 ----a-w- c:\documents and settings\tom\Application Data\Help\msgdi.dll
2009-05-30 17:22 . 2009-05-30 17:22 11232 ----a-w- c:\documents and settings\tom\Application Data\Adobe\shalom.exe
2009-05-30 17:22 . 2009-05-30 17:22 10121 ----a-w- c:\documents and settings\tom\Application Data\Identities\kern.dll
2009-05-26 20:54 . 2007-05-25 15:52 351232 ----a-w- c:\documents and settings\tom\Application Data\Mozilla\Firefox\Profiles\3sawlonc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
2009-05-26 20:54 . 2007-05-25 15:52 139264 ----a-w- c:\documents and settings\tom\Application Data\Mozilla\Firefox\Profiles\3sawlonc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 15:49 . 2005-12-27 15:51 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-06-20 15:49 . 2008-12-29 12:08 602 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-06-20 15:47 . 2008-12-12 13:19 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-20 15:17 . 2008-05-28 09:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-14 15:16 . 2008-08-11 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-12 09:55 . 2008-08-11 20:48 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-08 19:18 . 2007-10-06 14:25 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-26 14:11 . 2009-05-15 08:59 174 ----a-w- c:\documents and settings\tom\Application Data\asd.bat
2009-05-26 14:11 . 2009-05-15 08:59 174 ----a-w- c:\documents and settings\tom\Application Data\asd.bat
2009-05-17 10:39 . 2009-05-17 10:39 -------- d-----w- c:\documents and settings\cynth\Application Data\Skinux
2009-05-17 10:39 . 2009-05-17 10:39 -------- d-----w- c:\documents and settings\cynth\Application Data\ArcSoft
2009-05-16 10:37 . 2006-08-15 19:22 -------- d-----w- c:\program files\Google
2009-05-11 09:11 . 2008-08-11 20:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-11 09:11 . 2008-08-11 20:48 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-11 09:10 . 2008-08-11 20:48 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2002-09-19 19:26 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 17:46 . 2005-12-27 21:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-29 04:56 . 2006-06-23 10:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-25 11:40 . 2007-06-27 09:02 -------- d-----w- c:\program files\NCH Swift Sound
2009-04-25 11:08 . 2005-12-27 21:41 -------- d-----w- c:\program files\Java
2009-04-25 11:07 . 2009-04-25 11:07 152576 ----a-w- c:\documents and settings\tom\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2002-09-19 19:26 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 11:43 . 2009-04-16 11:40 67 -c--a-w- C:\New Project.dat
2009-04-15 14:51 . 2004-09-30 13:27 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-03-07 11:25 . 2008-03-07 11:25 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-02 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"PrnSys Executable"="c:\program files\HP\Digital Imaging\HP Print Screen\PrnSys.exe" [2003-09-16 36864]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-28 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 09:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6253:TCP"= 6253:TCP:PORT_6253
"37785:TCP"= 37785:TCP:PORT_37785
"25996:TCP"= 25996:TCP:PORT_25996
"27165:TCP"= 27165:TCP:PORT_27165
"14047:TCP"= 14047:TCP:PORT_14047
"51711:TCP"= 51711:TCP:PORT_51711
"27816:TCP"= 27816:TCP:PORT_27816
"37065:TCP"= 37065:TCP:PORT_37065
"16020:TCP"= 16020:TCP:PORT_16020
"40219:TCP"= 40219:TCP:PORT_40219
"34969:TCP"= 34969:TCP:PORT_34969
"64887:TCP"= 64887:TCP:PORT_64887
"8575:TCP"= 8575:TCP:PORT_8575
"63055:TCP"= 63055:TCP:PORT_63055
"17305:TCP"= 17305:TCP:PORT_17305
"19958:TCP"= 19958:TCP:PORT_19958
"16313:TCP"= 16313:TCP:PORT_16313
"5064:TCP"= 5064:TCP:PORT_5064
"48689:TCP"= 48689:TCP:PORT_48689
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/08/2008 21:48 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/08/2008 21:48 108552]
R2 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [11/10/2006 11:31 8768]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/08/2008 21:48 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [29/01/2009 11:51 298776]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [01/01/1980 24608]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [29/07/2007 19:50 20160]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [07/03/2008 12:25 29744]
.
Contents of the 'Scheduled Tasks' folder
2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:34]
2009-06-17 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
2009-06-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-22 09:09]
2009-06-20 c:\windows\Tasks\User_Feed_Synchronization-{B46AED34-E5FA-4E84-BCD5-B08221679D4F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Loaris Trojan Remover - c:\program files\Loaris Trojan Remover\TrojanRemover.exe
HKCU-Run-SVCHOST.EXE - c:\windows\system32\drivers\svchost.exe
HKLM-Run-realteks - c:\documents and settings\tom\Application Data\Google\uqrke8412012.exe
SafeBoot-svcWRSSSDK
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSYYYYYYYYGB
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-20 16:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-586325353-3991718394-1891130813-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2880)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-06-20 16:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-20 15:54
Pre-Run: 55,219,998,720 bytes free
Post-Run: 55,466,569,728 bytes free
278 --- E O F --- 2009-06-14 12:23
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:56:47, on 20/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\tom\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PrnSys Executable] C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSYYYYYYYYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
--
End of file - 10911 bytes
Bio-Hazard
2009-06-20, 20:07
Do you know what folder is this: C:\New Project.dat
Do you know about these open firewall ports. Do you play online games?
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6253:TCP"= 6253:TCP:PORT_6253
"37785:TCP"= 37785:TCP:PORT_37785
"25996:TCP"= 25996:TCP:PORT_25996
"27165:TCP"= 27165:TCP:PORT_27165
"14047:TCP"= 14047:TCP:PORT_14047
"51711:TCP"= 51711:TCP:PORT_51711
"27816:TCP"= 27816:TCP:PORT_27816
"37065:TCP"= 37065:TCP:PORT_37065
"16020:TCP"= 16020:TCP:PORT_16020
"40219:TCP"= 40219:TCP:PORT_40219
"34969:TCP"= 34969:TCP:PORT_34969
"64887:TCP"= 64887:TCP:PORT_64887
"8575:TCP"= 8575:TCP:PORT_8575
"63055:TCP"= 63055:TCP:PORT_63055
"17305:TCP"= 17305:TCP:PORT_17305
"19958:TCP"= 19958:TCP:PORT_19958
"16313:TCP"= 16313:TCP:PORT_16313
"5064:TCP"= 5064:TCP:PORT_5064
"48689:TCP"= 48689:TCP:PORT_48689
Run CFScript
Close any open browsers.
Open Notepad by click start
Click Run
Type notepad into the box and click enter
Notepad will open
Copy and Paste everything from the Code box into Notepad:
http://forums.spybot.info/showthread.php?p=318712#post318712
Collect::
c:\windows\system32\UACobqmnrbfgoivxer.dll
c:\documents and settings\tom\Application Data\Apple Computer\socks1.exe
c:\documents and settings\tom\Application Data\CyberLink\lego.exe
c:\documents and settings\tom\Application Data\ArcSoft\nomad.exe
c:\documents and settings\tom\Application Data\AdobeUM\rengo.dll
c:\documents and settings\tom\Application Data\Help\msgdi.dll
c:\documents and settings\tom\Application Data\Adobe\shalom.exe
c:\documents and settings\tom\Application Data\Identities\kern.dll
c:\documents and settings\tom\Application Data\asd.bat
c:\windows\system32\bdeeg.bak1
c:\windows\system32\knnmp.bak1
c:\windows\system32\knnmp.bak2
c:\windows\system32\rrutv.bak2
Folder::
c:\program files\Loaris Trojan Remover
DDS::
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZSYYYYYYYYGB
FF - ProfilePath -
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
[-HKEY_CLASSES_ROOT\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)
http://i219.photobucket.com/albums/cc99/BioHazard_030/CFScriptExample.jpg
Refering to the picture below, drag CFScript into ComboFix.exe
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
When finished, it shall produce a log for you at C:\ComboFix.txt
NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.
ATF-Cleaner
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords please click No at the prompt.
Click Exit on the Main menu to close the program.
Kaspersky Online Scan
You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
Answer to My question
ComboFix log (found at C:\Combofix.txt)
Kaspersky Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
Bio-Hazard
2009-06-25, 11:45
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
Bio-Hazard
2009-06-26, 22:16
Hello!
Thread reopened.
Please delete the excisting copy of Combofix and run it and post that log for me to see. DO NOT do anything else, disregard my last post. It is almost 5 days now so it is better start from the beginning again.
stephen_g
2009-06-26, 22:50
Hello,
Many thanks for reopening the thread, I really appreciate your help.
Here is the Combofix log that I produced yesterday.
ComboFix 09-06-24.05 - tom 25/06/2009 11:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.375 [GMT 1:00]
Running from: c:\documents and settings\tom\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\tom\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
file zipped: c:\documents and settings\tom\Application Data\Adobe\shalom.exe
file zipped: c:\documents and settings\tom\Application Data\AdobeUM\rengo.dll
file zipped: c:\documents and settings\tom\Application Data\Apple Computer\socks1.exe
file zipped: c:\documents and settings\tom\Application Data\ArcSoft\nomad.exe
file zipped: c:\documents and settings\tom\Application Data\asd.bat
file zipped: c:\documents and settings\tom\Application Data\CyberLink\lego.exe
file zipped: c:\documents and settings\tom\Application Data\Help\msgdi.dll
file zipped: c:\documents and settings\tom\Application Data\Identities\kern.dll
file zipped: c:\windows\system32\UACobqmnrbfgoivxer.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Loaris Trojan Remover
c:\documents and settings\tom\Application Data\Adobe\shalom.exe
c:\documents and settings\tom\Application Data\AdobeUM\rengo.dll
c:\documents and settings\tom\Application Data\Apple Computer\socks1.exe
c:\documents and settings\tom\Application Data\ArcSoft\nomad.exe
c:\documents and settings\tom\Application Data\asd.bat
c:\documents and settings\tom\Application Data\CyberLink\lego.exe
c:\documents and settings\tom\Application Data\Help\msgdi.dll
c:\documents and settings\tom\Application Data\Identities\kern.dll
c:\program files\Loaris Trojan Remover\logs\scan-2009-06-02 [21-55-28].log
c:\program files\Loaris Trojan Remover\logs\scan-2009-06-03 [09-52-52].log
c:\program files\Loaris Trojan Remover\smd.c
c:\program files\Loaris Trojan Remover\vs.c
c:\windows\system32\UACobqmnrbfgoivxer.dll
.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.
2009-06-16 19:46 . 2009-06-16 19:46 0 ----a-w- c:\documents and settings\tom\settings.dat
2009-06-16 19:11 . 2009-06-15 14:05 359893 -c--a-w- C:\dds.scr
2009-06-16 19:11 . 2009-06-15 14:06 359893 -c--a-w- C:\dds.com
2009-06-16 19:03 . 2009-06-16 19:03 0 ----a-w- c:\documents and settings\Administrator\settings.dat
2009-06-14 16:33 . 2004-10-15 17:32 14568 ----a-w- c:\windows\system32\drivers\wg3n.sys
2009-06-14 16:33 . 2004-10-15 17:18 21075 ----a-w- c:\windows\system32\drivers\wpsdrvnt.sys
2009-06-14 16:33 . 2004-10-15 17:17 60496 ----a-w- c:\windows\system32\drivers\Teefer.sys
2009-06-14 16:00 . 2009-06-14 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-14 15:27 . 2009-06-14 16:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-14 14:58 . 2009-06-14 14:58 -------- d-----w- c:\program files\ERUNT
2009-06-08 20:02 . 2009-06-08 20:06 -------- d-----w- c:\documents and settings\cynth\Local Settings\Application Data\Adobe
2009-06-02 19:20 . 2004-10-15 17:32 83096 ----a-w- c:\windows\system32\SSSensor.dll
2009-06-02 19:20 . 2009-06-02 19:20 -------- d-----w- c:\program files\Sygate
2009-05-26 20:54 . 2007-05-25 15:52 351232 ----a-w- c:\documents and settings\tom\Application Data\Mozilla\Firefox\Profiles\3sawlonc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
2009-05-26 20:54 . 2007-05-25 15:52 139264 ----a-w- c:\documents and settings\tom\Application Data\Mozilla\Firefox\Profiles\3sawlonc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 10:35 . 2006-11-23 13:18 -------- d-----w- c:\documents and settings\tom\Application Data\CyberLink
2009-06-25 10:35 . 2008-12-29 12:08 -------- d-----w- c:\documents and settings\tom\Application Data\ArcSoft
2009-06-25 10:35 . 2006-07-15 15:30 -------- d-----w- c:\documents and settings\tom\Application Data\Apple Computer
2009-06-25 10:35 . 2006-01-16 10:39 -------- d-----w- c:\documents and settings\tom\Application Data\AdobeUM
2009-06-25 10:26 . 2005-12-27 15:51 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-06-25 10:12 . 2008-12-29 12:08 602 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-06-24 18:01 . 2008-12-12 13:19 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-20 15:17 . 2008-05-28 09:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-14 15:16 . 2008-08-11 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-12 09:55 . 2008-08-11 20:48 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-08 19:18 . 2007-10-06 14:25 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-17 10:39 . 2009-05-17 10:39 -------- d-----w- c:\documents and settings\cynth\Application Data\Skinux
2009-05-17 10:39 . 2009-05-17 10:39 -------- d-----w- c:\documents and settings\cynth\Application Data\ArcSoft
2009-05-16 10:37 . 2006-08-15 19:22 -------- d-----w- c:\program files\Google
2009-05-11 09:11 . 2008-08-11 20:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-11 09:11 . 2008-08-11 20:48 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-11 09:10 . 2008-08-11 20:48 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2002-09-19 19:26 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 17:46 . 2005-12-27 21:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-29 04:56 . 2006-06-23 10:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-25 11:07 . 2009-04-25 11:07 152576 ----a-w- c:\documents and settings\tom\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2002-09-19 19:26 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 11:43 . 2009-04-16 11:40 67 -c--a-w- C:\New Project.dat
2009-04-15 14:51 . 2004-09-30 13:27 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-03-07 11:25 . 2008-03-07 11:25 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-06-20_15.49.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-25 10:12 . 2009-06-25 10:12 16384 c:\windows\Temp\Perflib_Perfdata_634.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-02 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Loaris Trojan Remover"="c:\program files\Loaris Trojan Remover\TrojanRemover.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"PrnSys Executable"="c:\program files\HP\Digital Imaging\HP Print Screen\PrnSys.exe" [2003-09-16 36864]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-28 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"realteks"="c:\documents and settings\tom\Application Data\Google\uqrke8412012.exe" [BU]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 09:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6253:TCP"= 6253:TCP:PORT_6253
"37785:TCP"= 37785:TCP:PORT_37785
"25996:TCP"= 25996:TCP:PORT_25996
"27165:TCP"= 27165:TCP:PORT_27165
"14047:TCP"= 14047:TCP:PORT_14047
"51711:TCP"= 51711:TCP:PORT_51711
"27816:TCP"= 27816:TCP:PORT_27816
"37065:TCP"= 37065:TCP:PORT_37065
"16020:TCP"= 16020:TCP:PORT_16020
"40219:TCP"= 40219:TCP:PORT_40219
"34969:TCP"= 34969:TCP:PORT_34969
"64887:TCP"= 64887:TCP:PORT_64887
"8575:TCP"= 8575:TCP:PORT_8575
"63055:TCP"= 63055:TCP:PORT_63055
"17305:TCP"= 17305:TCP:PORT_17305
"19958:TCP"= 19958:TCP:PORT_19958
"16313:TCP"= 16313:TCP:PORT_16313
"5064:TCP"= 5064:TCP:PORT_5064
"48689:TCP"= 48689:TCP:PORT_48689
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/08/2008 21:48 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/08/2008 21:48 108552]
R2 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [11/10/2006 11:31 8768]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/08/2008 21:48 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [29/01/2009 11:51 298776]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [01/01/1980 24608]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [29/07/2007 19:50 20160]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [07/03/2008 12:25 29744]
.
Contents of the 'Scheduled Tasks' folder
2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:34]
2009-06-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
2009-06-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-22 09:09]
2009-06-24 c:\windows\Tasks\User_Feed_Synchronization-{B46AED34-E5FA-4E84-BCD5-B08221679D4F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 11:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-586325353-3991718394-1891130813-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-06-25 11:41
ComboFix-quarantined-files.txt 2009-06-25 10:41
ComboFix2.txt 2009-06-20 15:54
Pre-Run: 55,651,725,312 bytes free
Post-Run: 55,640,756,224 bytes free
218 --- E O F --- 2009-06-14 12:23
Upload was successful
Also the Kapersky log that you requested. (Also run yesterday).
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, June 25, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, June 25, 2009 13:04:34
Records in database: 2388497
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Files scanned: 62048
Threat name: 6
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 02:09:31
File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACxrmbpxeooqxmhwu.sys.vir Infected: Trojan.Win32.Agent.chwd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\regscan.exe.vir Infected: Trojan-Downloader.Win32.Agent.hlp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfwowfkrxlllaylf.dll.vir Infected: Trojan.Win32.TDSS.aegg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmiiovmwcbvplwmy.dll.vir Infected: Trojan.Win32.TDSS.adzw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwnoernthewrbrmh.dll.vir Infected: Trojan.Win32.TDSS.adzz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACxwewbbfbhqvvnip.dll.vir Infected: Trojan.Win32.TDSS.adzx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACyabwemydktuwehq.dll.vir Infected: Trojan.Win32.TDSS.adzx 1
C:\Qoobox\Quarantine\[4]-Submit_2009-06-25_11.34.35.zip Infected: Trojan.Win32.TDSS.aegg 1
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP596\A0299977.sys Infected: Trojan.Win32.Agent.chwd 1
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP596\A0299978.dll Infected: Trojan.Win32.TDSS.adzx 1
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP596\A0299979.dll Infected: Trojan.Win32.TDSS.adzw 1
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP596\A0299980.dll Infected: Trojan.Win32.TDSS.adzx 1
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP596\A0299981.dll Infected: Trojan.Win32.TDSS.adzz 1
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP596\A0299982.dll Infected: Trojan.Win32.TDSS.aegg 1
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP596\A0300004.exe Infected: Trojan-Downloader.Win32.Agent.hlp 1
The selected area was scanned.
Regarding the questions that you asked in the previous post, my friend does not know what the folder "New Project" is.
He doesn't play online games, and doesn't know about the open firewall ports.
(He is not reallly computer savvy).
Very best regards
Stephen
Bio-Hazard
2009-06-28, 00:33
Run CFScript
Close any open browsers.
Open Notepad by click start
Click Run
Type notepad into the box and click enter
Notepad will open
Copy and Paste everything from the Code box into Notepad:
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Loaris Trojan Remover"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"realteks"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6253:TCP"=-
"37785:TCP"=-
"25996:TCP"=-
"27165:TCP"=-
"14047:TCP"=-
"51711:TCP"=-
"27816:TCP"=-
"37065:TCP"=-
"16020:TCP"=-
"40219:TCP"=-
"34969:TCP"=-
"64887:TCP"=-
"8575:TCP"=-
"63055:TCP"=-
"17305:TCP"=-
"19958:TCP"=-
"16313:TCP"=-
"5064:TCP"=-
"48689:TCP"=-
File::
c:\documents and settings\tom\Application Data\Google\uqrke8412012.exe
C:\New Project.dat
Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)
http://i219.photobucket.com/albums/cc99/BioHazard_030/CFScriptExample.jpg
Refering to the picture below, drag CFScript into ComboFix.exe
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
When finished, it shall produce a log for you at C:\ComboFix.txt
NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.
Next Reply
Please reply with:
ComboFix log (found at C:\Combofix.txt)
New HijackThis log
A description of how your computer is behaving
stephen_g
2009-06-29, 11:21
Hi,
Many thanks for your help.
I will send the logs later this week.
Best regards
Stephen
stephen_g
2009-07-04, 13:24
Hi,
Here is the Combo-Fix log and also the Hijack this log.
ComboFix 09-07-03.03 - tom 04/07/2009 10:28.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.398 [GMT 1:00]
Running from: c:\documents and settings\tom\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\tom\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
FILE ::
"c:\documents and settings\tom\Application Data\Google\uqrke8412012.exe"
"C:\New Project.dat"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\New Project.dat
c:\windows\Installer\3da649.msi
c:\windows\Installer\460a4c.msi
c:\windows\Installer\47cf3d.msi
c:\windows\system32\UACbwaqcmxehatlrkc.log
c:\windows\system32\UACcvamdrvnfdtkolq.log
c:\windows\system32\UACcxcqecmkeicvmky.log
c:\windows\system32\UACcxvtcratgetmscn.log
c:\windows\system32\UACdljiokilbkjbwwy.log
c:\windows\system32\UACdxuvmjgsblijjmw.log
c:\windows\system32\UACdyqxhfrxcegxdyr.log
c:\windows\system32\UACetgnmvbemharkkw.log
c:\windows\system32\UACfwowxcmdvpvwauh.log
c:\windows\system32\UACjlkxqircqfigfjp.log
c:\windows\system32\UACmjyierxtneojoou.log
c:\windows\system32\UACpbcrcvgxgxivppn.log
c:\windows\system32\UACpxrnirdqurqfdsq.log
c:\windows\system32\UACqepxqidnskaccgt.log
c:\windows\system32\UACqioxxgvynbbiyuu.log
c:\windows\system32\UACtwhxurvivknpulk.log
c:\windows\system32\UACuihsyvmuwfjxgor.log
c:\windows\system32\UACvbexujxlspbytph.log
c:\windows\system32\UACvipioiefrwapcny.log
.
((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.
2009-06-27 09:54 . 2009-06-12 09:55 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-27 09:54 . 2009-06-12 09:55 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-27 09:54 . 2009-06-12 09:55 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-27 09:53 . 2009-06-12 09:54 1452312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-27 09:53 . 2009-06-27 09:53 390664 ----a-w- c:\documents and settings\tom\Application Data\Real\RealPlayer\Update\realplayer11gold.exe
2009-06-16 19:46 . 2009-06-16 19:46 0 ----a-w- c:\documents and settings\tom\settings.dat
2009-06-16 19:11 . 2009-06-15 14:05 359893 -c--a-w- C:\dds.scr
2009-06-16 19:11 . 2009-06-15 14:06 359893 -c--a-w- C:\dds.com
2009-06-16 19:03 . 2009-06-16 19:03 0 ----a-w- c:\documents and settings\Administrator\settings.dat
2009-06-14 16:33 . 2004-10-15 17:32 14568 ----a-w- c:\windows\system32\drivers\wg3n.sys
2009-06-14 16:33 . 2004-10-15 17:18 21075 ----a-w- c:\windows\system32\drivers\wpsdrvnt.sys
2009-06-14 16:33 . 2004-10-15 17:17 60496 ----a-w- c:\windows\system32\drivers\Teefer.sys
2009-06-14 16:00 . 2009-06-14 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-14 15:27 . 2009-06-14 16:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-14 14:58 . 2009-06-14 14:58 -------- d-----w- c:\program files\ERUNT
2009-06-08 20:02 . 2009-06-08 20:06 -------- d-----w- c:\documents and settings\cynth\Local Settings\Application Data\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 09:26 . 2005-12-27 15:51 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-07-04 09:20 . 2008-12-29 12:08 602 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-07-03 15:41 . 2008-12-12 13:19 12 ----a-w- c:\windows\bthservsdp.dat
2009-07-03 14:11 . 2008-05-28 09:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-27 09:54 . 2008-08-11 20:48 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-25 10:35 . 2006-11-23 13:18 -------- d-----w- c:\documents and settings\tom\Application Data\CyberLink
2009-06-25 10:35 . 2008-12-29 12:08 -------- d-----w- c:\documents and settings\tom\Application Data\ArcSoft
2009-06-25 10:35 . 2006-07-15 15:30 -------- d-----w- c:\documents and settings\tom\Application Data\Apple Computer
2009-06-25 10:35 . 2006-01-16 10:39 -------- d-----w- c:\documents and settings\tom\Application Data\AdobeUM
2009-06-14 15:16 . 2008-08-11 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-12 09:55 . 2008-08-11 20:48 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-08 19:18 . 2007-10-06 14:25 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-02 19:20 . 2009-06-02 19:20 -------- d-----w- c:\program files\Sygate
2009-05-17 10:39 . 2009-05-17 10:39 -------- d-----w- c:\documents and settings\cynth\Application Data\Skinux
2009-05-17 10:39 . 2009-05-17 10:39 -------- d-----w- c:\documents and settings\cynth\Application Data\ArcSoft
2009-05-16 10:37 . 2006-08-15 19:22 -------- d-----w- c:\program files\Google
2009-05-11 09:11 . 2008-08-11 20:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-11 09:10 . 2008-08-11 20:48 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2002-09-19 19:26 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 17:46 . 2005-12-27 21:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-29 04:56 . 2006-06-23 10:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-25 11:07 . 2009-04-25 11:07 152576 ----a-w- c:\documents and settings\tom\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2002-09-19 19:26 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-09-30 13:27 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-03-07 11:25 . 2008-03-07 11:25 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-06-20_15.49.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-04 09:20 . 2009-07-04 09:20 16384 c:\windows\Temp\Perflib_Perfdata_654.dat
- 2002-09-19 19:26 . 2009-04-24 08:44 63188 c:\windows\system32\perfc009.dat
+ 2002-09-19 19:26 . 2009-06-27 10:29 63188 c:\windows\system32\perfc009.dat
- 2002-09-19 19:52 . 2009-06-20 15:17 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2002-09-19 19:52 . 2009-07-03 14:11 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2002-09-19 19:52 . 2009-06-20 15:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2002-09-19 19:52 . 2009-07-03 14:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2002-09-19 19:52 . 2009-06-20 15:17 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2002-09-19 19:52 . 2009-07-03 14:11 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-11-28 14:08 . 2006-11-28 14:08 94208 c:\windows\Installer\263d04.msi
+ 2009-05-02 16:34 . 2009-05-02 16:34 24064 c:\windows\Installer\13a791.msi
+ 2007-02-06 15:23 . 2007-02-06 15:23 29696 c:\windows\Installer\107ebd.msi
+ 2002-09-19 19:16 . 2002-08-29 12:00 67584 c:\windows\I386\WINNT32.MSI
- 2002-09-19 19:26 . 2009-04-24 08:44 403968 c:\windows\system32\perfh009.dat
+ 2002-09-19 19:26 . 2009-06-27 10:29 403968 c:\windows\system32\perfh009.dat
+ 2008-09-17 16:53 . 2007-04-02 18:34 366080 c:\windows\ServicePackFiles\i386\digreqex.msi
+ 2008-09-17 16:53 . 2007-04-02 18:34 863232 c:\windows\ServicePackFiles\i386\digopt.msi
+ 2009-02-11 15:59 . 2009-02-11 15:59 697856 c:\windows\Installer\df0c4.msi
+ 2008-12-29 12:07 . 2008-12-29 12:07 202752 c:\windows\Installer\d9d98.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 182784 c:\windows\Installer\d9d87.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 182784 c:\windows\Installer\d9d82.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 185856 c:\windows\Installer\d9d7d.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 307712 c:\windows\Installer\d9d78.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 183808 c:\windows\Installer\d9d73.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 302592 c:\windows\Installer\d9d6e.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 190464 c:\windows\Installer\d9d69.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 295936 c:\windows\Installer\d9d64.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 370688 c:\windows\Installer\d9d5f.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 281088 c:\windows\Installer\d9d5a.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 212992 c:\windows\Installer\d9d54.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 562688 c:\windows\Installer\d9d4e.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 186368 c:\windows\Installer\d9d49.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 180736 c:\windows\Installer\d9d44.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 181248 c:\windows\Installer\d9d3f.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 396800 c:\windows\Installer\d9d3a.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 406528 c:\windows\Installer\d9d35.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 291840 c:\windows\Installer\d9d30.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 357376 c:\windows\Installer\d9d2b.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 291840 c:\windows\Installer\d9d26.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 182784 c:\windows\Installer\d9d21.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 288768 c:\windows\Installer\d9d1c.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 294912 c:\windows\Installer\d9d17.msi
+ 2002-09-19 19:54 . 2002-09-19 19:54 264704 c:\windows\Installer\d91e.msi
+ 2007-06-21 17:34 . 2007-06-21 17:34 509952 c:\windows\Installer\9db3f.msi
+ 2009-06-14 16:33 . 2009-06-14 16:33 981504 c:\windows\Installer\8298c.msi
+ 2009-01-10 20:57 . 2009-01-10 20:57 562176 c:\windows\Installer\8052d.msi
+ 2007-08-15 12:04 . 2007-08-15 12:04 431104 c:\windows\Installer\7902e6.msi
+ 2008-11-12 19:25 . 2008-11-12 19:25 432640 c:\windows\Installer\715032.msi
+ 2008-10-01 11:38 . 2008-10-01 11:38 532992 c:\windows\Installer\65d98.msi
+ 2007-12-01 11:46 . 2007-12-01 11:46 492032 c:\windows\Installer\65bdf.msi
+ 2008-08-11 20:47 . 2008-08-11 20:47 337408 c:\windows\Installer\47c833.msi
+ 2009-05-17 10:31 . 2009-05-17 10:31 806912 c:\windows\Installer\2e051f.msi
+ 2006-11-18 13:42 . 2006-11-18 13:42 428544 c:\windows\Installer\23842f.msi
+ 2006-06-13 14:12 . 2006-06-13 14:12 509440 c:\windows\Installer\203a12.msp
+ 2005-12-27 17:40 . 2005-12-27 17:40 131072 c:\windows\Installer\1e4a1.msi
+ 2005-12-27 17:40 . 2005-12-27 17:40 131072 c:\windows\Installer\1e49c.msi
+ 2005-12-27 17:40 . 2005-12-27 17:40 132608 c:\windows\Installer\1e497.msi
+ 2005-12-27 17:39 . 2005-12-27 17:39 327680 c:\windows\Installer\1e492.msi
+ 2005-12-27 17:21 . 2005-12-27 17:21 129536 c:\windows\Installer\1c64a7.msi
+ 2005-12-27 17:20 . 2005-12-27 17:20 540672 c:\windows\Installer\1c6483.msi
+ 2005-12-27 17:19 . 2005-12-27 17:19 501248 c:\windows\Installer\1c6478.msi
+ 2005-12-27 17:19 . 2005-12-27 17:19 130560 c:\windows\Installer\1c6473.msi
+ 2005-12-27 17:19 . 2005-12-27 17:19 510464 c:\windows\Installer\1c646e.msi
+ 2005-12-27 17:18 . 2005-12-27 17:18 275456 c:\windows\Installer\1c6459.msi
+ 2005-12-27 17:18 . 2005-12-27 17:18 340480 c:\windows\Installer\1c6443.msi
+ 2005-12-27 17:15 . 2005-12-27 17:15 209920 c:\windows\Installer\1c6424.msi
+ 2008-06-11 13:02 . 2008-06-11 13:02 830464 c:\windows\Installer\19fe946.msp
+ 2006-03-11 13:58 . 2006-03-11 13:58 557056 c:\windows\Installer\194908.msi
+ 2006-05-12 16:49 . 2005-04-04 00:07 982016 c:\windows\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\ISScript11.Msi
+ 2002-09-19 19:26 . 2004-07-17 18:35 1326080 c:\windows\system32\webfldrs.msi
+ 2004-07-17 18:35 . 2004-07-17 18:35 1326080 c:\windows\ServicePackFiles\i386\webfldrs.msi
+ 2008-09-17 16:54 . 2007-04-02 18:42 5080576 c:\windows\ServicePackFiles\i386\msnmsgs.msi
+ 2007-05-25 12:08 . 2007-05-25 12:08 9609728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp
+ 2008-06-04 12:54 . 2008-06-04 12:54 3620864 c:\windows\Installer\f7820.msi
+ 2007-03-19 09:31 . 2007-03-19 09:31 5259776 c:\windows\Installer\e4254.msp
+ 2009-04-06 16:00 . 2009-04-06 16:00 5518336 c:\windows\Installer\e1a4a.msp
+ 2008-10-22 22:43 . 2008-10-22 22:43 6820352 c:\windows\Installer\ddeb8b.msp
+ 2008-10-22 22:48 . 2008-10-22 22:48 7672832 c:\windows\Installer\ddeb79.msp
+ 2008-11-05 14:25 . 2008-11-05 14:25 5518336 c:\windows\Installer\ddeb67.msp
+ 2007-09-18 13:18 . 2007-09-18 13:18 5489152 c:\windows\Installer\da55dc.msp
+ 2008-12-29 12:06 . 2008-12-29 12:06 1506304 c:\windows\Installer\d9d92.msi
+ 2008-12-29 12:05 . 2008-12-29 12:05 1922560 c:\windows\Installer\d9d8c.msi
+ 2008-12-29 12:04 . 2008-12-29 12:04 1020928 c:\windows\Installer\d9d11.msi
+ 2008-12-29 12:01 . 2008-12-29 12:01 2109440 c:\windows\Installer\d9d0b.msi
+ 2008-09-05 12:08 . 2008-09-05 12:08 5515776 c:\windows\Installer\c6fe91.msp
+ 2007-06-19 14:48 . 2007-06-19 14:48 5247488 c:\windows\Installer\b4fe2.msp
+ 2007-06-05 13:48 . 2007-06-05 13:48 9944064 c:\windows\Installer\b4fd0.msp
+ 2009-01-14 15:43 . 2009-01-14 15:43 5520384 c:\windows\Installer\9c0fc8.msp
+ 2008-04-18 13:26 . 2008-04-18 13:26 5518336 c:\windows\Installer\880b76.msp
+ 2006-05-12 16:49 . 2006-05-12 16:49 8979968 c:\windows\Installer\87178.msi
+ 2009-01-10 22:23 . 2009-01-10 22:23 2329600 c:\windows\Installer\7cd16.msi
+ 2007-05-25 10:55 . 2007-05-25 10:55 5265408 c:\windows\Installer\7c910a.msp
+ 2009-05-12 12:01 . 2009-05-12 12:01 6818816 c:\windows\Installer\7b604.msp
+ 2009-05-28 11:32 . 2009-05-28 11:32 5518848 c:\windows\Installer\7b5f2.msp
+ 2009-04-23 16:57 . 2009-04-23 16:57 7672832 c:\windows\Installer\7b5e0.msp
+ 2007-07-23 15:40 . 2007-07-23 15:40 9945600 c:\windows\Installer\79031b.msp
+ 2007-07-24 14:02 . 2007-07-24 14:02 5240320 c:\windows\Installer\790309.msp
+ 2007-05-22 08:46 . 2007-05-22 08:46 6108672 c:\windows\Installer\7902f7.msp
+ 2008-10-25 09:15 . 2008-10-25 09:15 6227456 c:\windows\Installer\715055.msp
+ 2008-10-17 09:03 . 2008-10-17 09:03 5518336 c:\windows\Installer\715043.msp
+ 2009-02-11 15:02 . 2009-02-11 15:02 5519872 c:\windows\Installer\56bf75.msp
+ 2005-10-26 14:59 . 2005-10-26 14:59 2883072 c:\windows\Installer\54dcfd.msp
+ 2006-12-04 13:51 . 2006-12-04 13:51 5250560 c:\windows\Installer\54dceb.msp
+ 2008-03-16 16:11 . 2008-03-16 16:11 5512704 c:\windows\Installer\543f04.msp
+ 2009-05-01 14:49 . 2009-05-01 14:49 4328960 c:\windows\Installer\5029fa.msp
+ 2007-11-02 09:30 . 2007-11-02 09:30 7554048 c:\windows\Installer\4e49cf.msp
+ 2008-01-14 16:53 . 2008-01-14 16:53 5213696 c:\windows\Installer\4df31a.msp
+ 2008-01-25 15:29 . 2008-01-25 15:29 5514752 c:\windows\Installer\4df309.msp
+ 2009-01-10 22:10 . 2009-01-10 22:10 1549312 c:\windows\Installer\4b3ad8.msi
+ 2007-11-16 12:58 . 2007-11-16 12:58 5495296 c:\windows\Installer\4895eb.msp
+ 2007-11-08 11:42 . 2007-11-08 11:42 4158464 c:\windows\Installer\4895da.msp
+ 2009-03-05 14:40 . 2009-03-05 14:40 6819840 c:\windows\Installer\4815fb.msp
+ 2008-08-14 14:01 . 2008-08-14 14:01 5517312 c:\windows\Installer\44a463.msp
+ 2007-01-24 13:05 . 2007-01-24 13:05 5228544 c:\windows\Installer\4251b7.msp
+ 2007-01-19 10:46 . 2007-01-19 10:46 6814208 c:\windows\Installer\425193.msp
+ 2006-12-18 11:48 . 2006-12-18 11:48 5444096 c:\windows\Installer\425181.msp
+ 2007-01-24 07:48 . 2007-01-24 07:48 9804800 c:\windows\Installer\42516f.msp
+ 2007-01-10 10:05 . 2007-01-10 10:05 9921024 c:\windows\Installer\42515d.msp
+ 2006-11-20 16:37 . 2006-11-20 16:37 6553088 c:\windows\Installer\42514b.msp
+ 2008-05-15 08:50 . 2008-05-15 08:50 5515776 c:\windows\Installer\4217cd.msp
+ 2008-01-31 10:30 . 2008-01-31 10:30 9947648 c:\windows\Installer\3df00b.msp
+ 2008-02-15 14:57 . 2008-02-15 14:57 5517312 c:\windows\Installer\3defe5.msp
+ 2008-12-12 11:09 . 2008-12-12 11:09 5517824 c:\windows\Installer\2ffd47.msp
+ 2007-04-11 12:47 . 2007-04-11 12:47 5264896 c:\windows\Installer\2794ab.msp
+ 2007-04-25 14:14 . 2007-04-25 14:14 9828864 c:\windows\Installer\279487.msp
+ 2007-04-25 14:09 . 2007-04-25 14:09 9944064 c:\windows\Installer\279475.msp
+ 2007-04-25 14:10 . 2007-04-25 14:10 6835712 c:\windows\Installer\279463.msp
+ 2006-09-19 16:13 . 2006-09-19 16:13 8272896 c:\windows\Installer\203a5a.msp
+ 2006-10-12 10:50 . 2006-10-12 10:50 1091584 c:\windows\Installer\203a48.msp
+ 2006-12-19 15:42 . 2006-12-19 15:42 4008448 c:\windows\Installer\2039ff.msp
+ 2006-12-19 15:42 . 2006-12-19 15:42 6649856 c:\windows\Installer\2039fe.msp
+ 2006-09-11 12:19 . 2006-09-11 12:19 6253056 c:\windows\Installer\2039d6.msp
+ 2006-11-20 13:42 . 2006-11-20 13:42 9713664 c:\windows\Installer\2039b2.msp
+ 2005-12-27 17:20 . 2005-12-27 17:20 1179648 c:\windows\Installer\1c6492.msi
+ 2008-06-11 14:05 . 2008-06-11 14:05 9994240 c:\windows\Installer\1a06af.msp
+ 2008-06-10 13:09 . 2008-06-10 13:09 5517312 c:\windows\Installer\1a0699.msp
+ 2008-07-16 09:39 . 2008-07-16 09:39 5519360 c:\windows\Installer\19fe96a.msp
+ 2008-07-08 10:27 . 2008-07-08 10:27 8436736 c:\windows\Installer\19fe958.msp
+ 2004-09-30 13:21 . 2004-09-30 13:21 3443712 c:\windows\Installer\17b78.msi
+ 2007-09-10 16:01 . 2007-09-10 16:01 5488640 c:\windows\Installer\176f959.msp
+ 2009-01-10 22:44 . 2009-01-10 22:44 3762688 c:\windows\Installer\13c230.msi
+ 2009-01-10 22:42 . 2009-01-10 22:42 1652224 c:\windows\Installer\13c0a3.msi
+ 2009-01-10 22:41 . 2009-01-10 22:41 8989696 c:\windows\Installer\13c09e.msi
+ 2009-01-10 22:38 . 2009-01-10 22:38 3152384 c:\windows\Installer\13be09.msi
+ 2004-09-30 13:48 . 2004-09-30 13:48 3135488 c:\windows\Installer\12abd.msi
+ 2004-09-30 13:46 . 2004-09-30 13:46 4716032 c:\windows\Installer\12ab0.msi
+ 2004-09-30 13:44 . 2004-09-30 13:44 3924992 c:\windows\Installer\12aa0.msi
+ 2004-09-30 13:42 . 2004-09-30 13:42 1225728 c:\windows\Installer\12a9a.msi
+ 2007-02-12 16:30 . 2007-02-12 16:30 5235200 c:\windows\Installer\1147a5.msp
+ 2005-12-27 15:49 . 2009-05-17 10:25 6170112 c:\windows\Downloaded Installations\{C0FA7138-477B-4FEC-8F23-640C21C2287B}\Microsoft AntiSpyware.msi
+ 2006-05-12 16:49 . 2005-12-21 10:57 9934848 c:\windows\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\iTunes.msi
+ 2005-12-27 14:11 . 2004-09-30 13:25 10038784 c:\windows\system32\config\systemprofile\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142040}\Java 2 Runtime Environment, SE v1.4.2_04.msi
+ 2005-09-23 07:48 . 2005-09-23 07:48 24863744 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\netfx.msi
+ 2007-02-06 15:22 . 2007-01-19 13:20 16633344 c:\windows\Installer\MSN Messenger 8.1.0178\MsnMsgs.Msi
+ 2008-12-29 11:58 . 2008-12-29 11:58 26360320 c:\windows\Installer\d9d00.msi
+ 2008-08-13 13:49 . 2008-08-13 13:49 11816960 c:\windows\Installer\c6fea3.msp
+ 2008-04-14 13:26 . 2008-04-14 13:26 11888128 c:\windows\Installer\880b64.msp
+ 2007-12-01 11:47 . 2007-12-01 11:47 19210240 c:\windows\Installer\65c2a.msp
+ 2007-12-01 13:55 . 2007-12-01 13:55 15256576 c:\windows\Installer\5d3bc2.msp
+ 2008-01-14 15:24 . 2008-01-14 15:24 10721280 c:\windows\Installer\4df2f7.msp
+ 2008-01-14 16:50 . 2008-01-14 16:50 11887104 c:\windows\Installer\4df2e5.msp
+ 2008-07-30 07:50 . 2008-07-30 07:50 12506112 c:\windows\Installer\44a487.msp
+ 2008-06-04 12:29 . 2008-06-04 12:29 16905728 c:\windows\Installer\44a475.msp
+ 2007-01-18 14:29 . 2007-01-18 14:29 10978816 c:\windows\Installer\4251a5.msp
+ 2008-01-31 09:45 . 2008-01-31 09:45 11565056 c:\windows\Installer\3df030.msp
+ 2008-02-29 22:09 . 2008-02-29 22:09 16907776 c:\windows\Installer\3df01e.msp
+ 2008-03-17 12:48 . 2008-03-17 12:48 11813888 c:\windows\Installer\342398.msp
+ 2005-08-08 14:25 . 2005-08-08 14:25 97385984 c:\windows\Installer\285eae.msp
+ 2007-05-01 08:29 . 2007-05-01 08:29 10994688 c:\windows\Installer\279499.msp
+ 2006-09-27 14:28 . 2006-09-27 14:28 10256384 c:\windows\Installer\203a36.msp
+ 2006-09-19 11:23 . 2006-09-19 11:23 12292096 c:\windows\Installer\203a24.msp
+ 2006-09-12 22:44 . 2006-09-12 22:44 13737984 c:\windows\Installer\2039c4.msp
+ 2008-07-08 09:09 . 2008-07-08 09:09 11887616 c:\windows\Installer\19fe97c.msp
+ 2008-07-01 08:25 . 2008-07-01 08:25 11814912 c:\windows\Installer\19fe935.msp
+ 2006-05-12 16:44 . 2006-05-12 16:43 33983488 c:\windows\Downloaded Installations\{CB6E9C5F-FCB5-4937-A4BF-6032D737110C}\iPod for Windows 2006-01-10.msi
+ 2007-07-27 08:03 . 2007-07-27 08:03 119977472 c:\windows\Installer\1b1e4b8.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-02 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"PrnSys Executable"="c:\program files\HP\Digital Imaging\HP Print Screen\PrnSys.exe" [2003-09-16 36864]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-28 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 09:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/08/2008 21:48 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/08/2008 21:48 108552]
R2 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [11/10/2006 11:31 8768]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/08/2008 21:48 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [29/01/2009 11:51 298776]
R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [01/01/1980 24608]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [29/07/2007 19:50 20160]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [07/03/2008 12:25 29744]
.
Contents of the 'Scheduled Tasks' folder
2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:34]
2009-07-03 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
2009-07-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-22 09:09]
2009-07-03 c:\windows\Tasks\User_Feed_Synchronization-{B46AED34-E5FA-4E84-BCD5-B08221679D4F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\tom\Application Data\Mozilla\Firefox\Profiles\3sawlonc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 10:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-586325353-3991718394-1891130813-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-07-04 10:37
ComboFix-quarantined-files.txt 2009-07-04 09:36
ComboFix2.txt 2009-06-25 10:42
ComboFix3.txt 2009-06-20 15:54
Pre-Run: 55,406,632,960 bytes free
Post-Run: 55,604,523,008 bytes free
386 --- E O F --- 2009-06-14 12:23
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:01, on 04/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\tom\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PrnSys Executable] C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [realteks] "C:\Documents and Settings\tom\Application Data\Google\uqrke8412012.exe" 2
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Loaris Trojan Remover] "C:\Program Files\Loaris Trojan Remover\TrojanRemover.exe" 0
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
--
End of file - 11159 bytes
Regarding how the computer is behaving.
The false infection warning pop-ups have now ceased.(Before your help, they were occuring very frequently).
Sygate is now running correctly (it was not previously, and we were unable to reinstall it).
My friend tells me that he is unable to access Google from his own user (Tom) (as the system locks out).
However he can access Google from one of the other users that are defined on the system.
Once again many thanbks for your help.
Best regards
Stephen
Bio-Hazard
2009-07-05, 08:03
Hello!
looks like your friend got reinfected. I am looking into the google problem.
Disable Teatimer
Please disable Teatimer as it may interfere with the fix.
If you have version 1.6, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
Click on Mode > Advanced Mode. When it prompts you, click Yes.
On the left hand side, click on Tools.
Check this box if it is not yet ticked: Resident.
You will notice that Resident is now added under Tools. Click on Resident.
Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active.
Exit Spybot Search & Destroy.
Reboot your machine for the changes to take effect.
Once your log is clean you can re-enable those settings in TeaTimer.
Remove HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [realteks] "C:\Documents and Settings\tom\Application Data\Google\uqrke8412012.exe" 2
O4 - HKCU\..\Run: [Loaris Trojan Remover] "C:\Program Files\Loaris Trojan Remover\TrojanRemover.exe" 0
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
Close all open windows and browsers/email etc...
Click on the Fix Checked button
When completed close the application.
Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php) and save it to your desktop.
Alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
Alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the Perform Full Scan option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Uninstall list
Make an uninstall list using HijackThis. To access the Uninstall Manager you would do the following:
Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
Hijackthis Uninstall list
Malwarebytes Antimalware log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
stephen_g
2009-07-05, 12:36
Hi,
Thanks for your help, I'll follow the instructions and send you the logs etc later this week.
Best regards
Stephen
Bio-Hazard
2009-07-10, 08:40
Hello!
How are we getting along?
stephen_g
2009-07-10, 14:54
Hello,
Thanks for your message.
I am hoping to visit my friend and post the logs etc. tomorrow.
Best regards
Stephen
stephen_g
2009-07-11, 19:08
Hi,
I visited my friend this morning to do the scans etc.
The Malwarebytes scan has been running for 5 hours 24 minutes now, has scanned 45437 objects, and found 6 infected objects.
Is this length of time excessive, or would you expect the scan to have to run overnight for example before completing?
One thing that my friend mentioned (I don't know whether this would influence the duration of the scan), but his daughter has been using the internet while the scan is running (from her own computer via a wireless connection).
Can you advise please?
Best regards
Stephen
Bio-Hazard
2009-07-11, 19:33
Hello!
It seems very long scan time. What you could do is a quick scan and then run full scan over night. Several things will affect the scan time like how powerful the machine is, is the computer being used, are the other security programs running, how many files there is to be scanned and so on. Her daughters internet surfing wont affect the scan time.
stephen_g
2009-07-12, 12:44
Hi,
Thanks for your reply.
I left the scan running overnight, I'm expecting my friend to call me when it has finished (today), so that I can go back and complete the logs etc.
Thanks again.
Best regards
Stephen
stephen_g
2009-07-12, 21:09
Hi,
Malwarebytes scan took over seven hours!
Here are the logs.
Ad-Aware SE Personal
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Apple Mobile Device Support
Apple Software Update
ArcSoft Print Creations
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Funhouse
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Photo Calendar
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
AVG Free 8.5
Bonjour
CCScore
Critical Update for Windows Media Player 11 (KB959772)
Cubasis VST 5
DivX Content Uploader
DivX Web Player
ERUNT 1.1j
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
F5D5050 Driver Uninstall
fflink
Google Desktop
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB945060-v3)
Hotfix for Windows XP (KB952287)
HP PSC & OfficeJet 3.5
HP Software Update
iPod for Windows 2006-01-10
iTunes
Java(TM) 6 Update 13
kgcbaby
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
Label Editor
LimeWire PRO 4.18.8
Malwarebytes' Anti-Malware
Master Unit
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft AntiSpyware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Mozilla Firefox (3.0.1)
MSN Music Mediabar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Muon Tau MDrive
MySpaceIM
NCH Toolbox
netbrdg
OfotoXMI
overland
QuickTime
RealPlayer
Registry Mechanic 7.0
Safari
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SFR
SHASTA
skin0001
SKINXSDK
Sonic MyDVD
Sonic RecordNow!
Spybot - Search & Destroy
staticcr
Switch
Sygate Personal Firewall
tooltips
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VPRINTOL
Wanadoo
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WIRELESS
XviD 1.1 final uninstall
Malwarebytes' Anti-Malware 1.38
Database version: 2406
Windows 5.1.2600 Service Pack 3
12/07/2009 18:27:25
mbam-log-2009-07-12 (18-27-25).txt
Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 206189
Time elapsed: 7 hour(s), 9 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 7
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\program files\Pinnacle\cubasis vst 5\Register\RegTool.exe (Rogue.RegTool) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACmiiovmwcbvplwmy.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACfwowfkrxlllaylf.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACwnoernthewrbrmh.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACxwewbbfbhqvvnip.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACyabwemydktuwehq.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\UACxrmbpxeooqxmhwu.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:31:29, on 12/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\tom\Desktop\HiJackThis.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PrnSys Executable] C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
--
End of file - 10615 bytes
Computer behaviour before scans etc. No more false infection pop-ups.
Unable to get to Google on one particular user.
Once again, many thanks for your assistance.
Best regards
Stephen
Bio-Hazard
2009-07-13, 11:53
Malwarebytes scan took over seven hours!
That was a long scan. It usually takes about 30 minutes.
Computer behaviour before scans etc. No more false infection pop-ups.
Unable to get to Google on one particular user.
Can you tell me more about this problem. What use account it is? What happens when user tries to connect to google? does the other sites work?
Use of P2P (Person to Person) file sharing programs
I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
LimeWire PRO 4.18.8
Please read HERE (http://forums.spybot.info/showpost.php?p=218503&postcount=4) the Safer Networking Forums policy on the use of P2P file sharing programs. Please remove it before we can continue any further. Post back when you have done it so we can continue the cleaning process.
NOTE: Even if you are using a safe P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Remove programs
Click Start
Go to Control Panel
Go to Add/Remove Programs
Find and click Remove for the following (if present):
Microsoft AntiSpyware
NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.
Update Java Runtime:
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason it's extremely important that you keep the program up to date and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 14.
Go to HERE (http://java.sun.com/javase/downloads/index.jsp)
Scroll down to where it says Java Runtime Environment (JRE) 6 Update 14
Click the Download button to the right
From the dropdown menu choose your platform. Which is Windows
Dont change the language box.
Click on the radio button to Accept License Agreement and after that click continue
Click on Windows Offline Installation Multi-language and save the downloaded file to your computer
Go to Start => Control Panel => Add or Remove Programs
Uninstall all old versions of Java (Java 2 Runtime Environment JRE or JSE)
Reboot your computer
Delete the folder C:\Program Files\Java if present
Install the new version by running the newly-downloaded file and follow the on-screen instructions.
Reboot your computer
Update Adobe Reader
Your version of Adobe Reader is out-of-date. There are known security issues with older versions of Adobe Reader. It is strongly suggested that you update to the current version. Please uninstall older version of Adobe Reader before installing the latest version.
If you are using a FULL featured, purchased version of Adobe Acrobat Reader.
These instructions will remove the current version of Adobe Reader and replace it with the limited feature FREE version. If you want to replace the paid for version with the free version, then continue, otherwise DO NOT perform these steps!
Click Start
Control Panel
Double clicking on Add/Remove Programs
Locate older version of Adobe Reader and click on Change/Remove to uninstall it
Click HERE (http://www.adobe.com/products/acrobat/readstep2.html) to download the latest version of Adobe Reader.
Select your Windows version and click on Download. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
Close your Internet browser and open it again.
If you don't like Adobe Reader, you can download Foxit PDF Reader from HERE (http://www.filehippo.com/download_foxit/download/423817ca4028434efe3f6174b07468b0/FoxitReader30_enu_Setup.exe). It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
Answers to my questions.
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
stephen_g
2009-07-13, 15:34
Hi,
Thanks for the instructions.
I'll carry these out later this week (Friday/Saturday) and get back to you with results.
Best regards
Stephen
Bio-Hazard
2009-07-17, 22:49
Hello!
How are we doing?
stephen_g
2009-07-18, 14:04
Hi,
Just got back from my friends, having completed your instructions.
Here is the fresh HijackThis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:13, on 18/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\cynth\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PrnSys Executable] C:\Program Files\HP\Digital Imaging\HP Print Screen\PrnSys.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [realteks] "C:\Documents and Settings\tom\Application Data\Google\uqrke8412012.exe" 2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Loaris Trojan Remover] "C:\Program Files\Loaris Trojan Remover\TrojanRemover.exe" 0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
--
End of file - 11078 bytes
My friend reports that the system appears to be working normally, and that Google etc is accessible now as it should be.
No more false infection pop-ups are occurring.
Spybot,Sygate Personal Firewall, and AVG are all fully operational and have the latest updates installed.
All appears to be well.
Very many thanks for your assistance with this problem, my friend and I really appreciate it.
Best regards
Stephen
Bio-Hazard
2009-07-19, 10:06
Boot into Safe mode.
Here are the instructions how to boot into safe mode in Windows XP
If the computer is running shut down Windows and then turn off the power
Wait 30 seconds and then turn the computer on.
Start tapping the F8 key.(if this doesn't work try the F5 key) The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon some computers display a keyboard error message. To resolve this restart the computer and try again.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
You can see Safe mode in every corner of your screen
When you are finished with all troubleshooting close all programs and restart the computer as you normally would.
Remove HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O4 - HKLM\..\Run: [realteks] "C:\Documents and Settings\tom\Application Data\Google\uqrke8412012.exe" 2
O4 - HKCU\..\Run: [Loaris Trojan Remover] "C:\Program Files\Loaris Trojan Remover\TrojanRemover.exe" 0
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) -
Close all open windows and browsers/email etc...
Click on the Fix Checked button
When completed close the application.
Your log now appears to be clean. Congratulations!
You can get rid of the tools we used:
DDS - (You can just delete the exe file from your desktop)
Rootrepeal - (You can just delete the exe file from your desktop)
Erunt - (You can uninstall it from Add/Remove Programs)
Delete ComboFix and Clean Up
Click Start > Run > type Combo-fix /u > OK (Note the space between combofix and /u)
http://i147.photobucket.com/albums/r301/DFW_photos/CF_Cleanup.png
Please advise if this step is missed for any reason as it performs some important actions.
General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
[LIST]
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site (http://update.microsoft.com/microsoftupdate) on a regular basis.
NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
Update Non-Microsoft Programs
Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) or F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html). I suggest that you run one of them at least once a month.
Make Internet Explorer More Secure
You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE (http://surfthenetsafely.com/ieseczone8.htm)
Recommended Programs
I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.
WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE (http://www.winpatrol.com/).
SpywareBlaster
SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE (http://www.webopedia.com/TERM/A/ActiveX_control.html). You can download SpywareBlaster from HERE (http://www.javacoolsoftware.com/sbdownload.html).
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE (http://www.malwarebytes.org/mbam.php). Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926) and Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913).
Hosts File
For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE (http://forum.malwareremoval.com/viewtopic.php?t=22187) and for more information regarding host files read HERE (http://www.mvps.org/winhelp2002/hosts.htm).
Use an alternative Internet Browser
Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
Firefox (http://www.mozilla.com/en-US/firefox/)
Opera (http://www.opera.com/download/)
Google Chrome (http://www.google.com/chrome)
Here is a great article by miekiemoes How to prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html).
Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php). You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.
I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
Happy surfing and stay clean!
Bio-Hazard
stephen_g
2009-07-19, 23:27
Hello,
Many thanks for your message, I'll follow the instructions and recommendations.
Thanks for your great help, much appreciated.
I will post in Malware Complaints forum.
Best regards
Stephen
Bio-Hazard
2009-07-20, 16:56
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.