View Full Version : Browsers hijacked, spybot, malwarbytes, etc. blocked
chipecan
2009-07-10, 02:56
Firefox is hijacked. I couldn't get spybot to open...renamed exe and now it opens and runs but gives me no disk error with cancel ignore continue tabs, selecting continue allows me to move on but I have to hit continue every other file scanned. Ad-aware and hijack this would not open either until I renamed their exe. Ad-aware has sense been uninstalled.
HELP!!! Here is my Hijack this log.....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:33 PM, on 7/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
L:\WINDOWS\System32\smss.exe
L:\WINDOWS\system32\winlogon.exe
L:\WINDOWS\system32\services.exe
L:\WINDOWS\system32\lsass.exe
L:\WINDOWS\system32\Ati2evxx.exe
L:\WINDOWS\system32\svchost.exe
L:\WINDOWS\System32\svchost.exe
L:\WINDOWS\system32\Ati2evxx.exe
L:\WINDOWS\system32\spoolsv.exe
L:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
L:\WINDOWS\System32\svchost.exe
L:\WINDOWS\system32\HPZipm12.exe
L:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
L:\PROGRA~1\AVG\AVG8\avgrsx.exe
L:\PROGRA~1\AVG\AVG8\avgnsx.exe
L:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
L:\WINDOWS\System32\svchost.exe
L:\PROGRA~1\AVG\AVG8\avgemc.exe
L:\WINDOWS\system32\SearchIndexer.exe
L:\Program Files\AVG\AVG8\avgcsrvx.exe
L:\WINDOWS\Explorer.EXE
L:\PROGRA~1\AVG\AVG8\avgtray.exe
L:\Program Files\Analog Devices\SoundMAX\SMTray.exe
L:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
L:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
L:\Program Files\HP\HP Software Update\HPWuSchd2.exe
L:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
L:\WINDOWS\system32\ctfmon.exe
L:\Program Files\Messenger\msmsgs.exe
L:\Documents and Settings\jrod\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
L:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
L:\Program Files\Logitech\SetPoint\SetPoint.exe
L:\Program Files\Windows Desktop Search\WindowsSearch.exe
L:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
L:\Program Files\WinZip\WZQKPICK.EXE
L:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
L:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
L:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
L:\Program Files\Trend Micro\HijackThis\HijackThis55545.exe
L:\WINDOWS\system32\NOTEPAD.EXE
L:\Program Files\Mozilla Firefox\firefox.exe
L:\Program Files\Outlook Express\msimn.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - L:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - L:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - L:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - L:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [AVG8_TRAY] L:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Smapp] L:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [StartCCC] "L:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RoxWatchTray] "L:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] L:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "L:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "L:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] L:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "L:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "L:\Documents and Settings\jrod\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: HP Digital Imaging Monitor.lnk = L:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = L:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Search.lnk = L:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = L:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://L:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - L:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - L:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - L:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - L:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - L:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - L:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - L:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: L:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245375514173
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245609854921
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3227BBE-A116-48F6-92B5-531ADBEE118A}: NameServer = 85.255.112.5,85.255.112.107
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.5,85.255.112.107
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.5,85.255.112.107
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.5,85.255.112.107
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - L:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - L:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - L:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - L:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - L:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - L:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - L:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - L:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Pml Driver HPZ12 - HP - L:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - L:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - L:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - L:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - L:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - L:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - L:\DOCUME~1\jrod\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - L:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 8557 bytes
Hello chipecan
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
You have a serious infection on this computer that's preventing security programs to run.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Now right click on Combofix.exe and rename it to Combo-fix.exe
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
chipecan
2009-07-11, 18:41
OK I think I have most of this nipped in the bud, I killed the TCPIP hijack via HighJack This and ran CCLeaner and finally got Spybot to run.
Thanks for your help!!!
Here are my logs:
ComboFix 09-07-09.08 - jrod 07/11/2009 11:09.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2048.1438 [GMT -4:00]
Running from: l:\documents and settings\jrod\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))
.
2009-07-10 22:29 . 2009-07-10 22:32 -------- d-----w- l:\windows\system32\NtmsData
2009-07-10 22:11 . 2009-07-10 22:11 -------- d-----w- l:\documents and settings\jrod\Application Data\Windows Search
2009-07-10 21:47 . 2009-07-10 21:47 -------- d-----w- l:\program files\CCleaner
2009-07-10 01:40 . 2009-07-10 01:40 -------- d-----w- l:\windows\Sun
2009-07-10 01:39 . 2009-07-10 01:38 410984 ----a-w- l:\windows\system32\deploytk.dll
2009-07-10 01:38 . 2009-07-10 01:38 -------- d-----w- l:\program files\Java
2009-07-10 01:38 . 2009-07-10 01:38 152576 ----a-w- l:\documents and settings\jrod\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-09 22:45 . 2009-07-09 22:45 -------- d-----w- l:\documents and settings\jrod\Local Settings\Application Data\WinZip
2009-07-09 22:44 . 2009-07-11 13:38 -------- d-----w- l:\documents and settings\All Users\Application Data\WinZip
2009-07-08 23:15 . 2009-07-08 23:15 -------- d-----w- l:\documents and settings\All Users\Application Data\IObit
2009-07-08 22:25 . 2009-07-08 22:25 -------- d-----w- l:\documents and settings\All Users\Application Data\PCPitstop
2009-07-08 22:24 . 2009-07-08 22:26 -------- d-----w- l:\program files\PCPitstop
2009-07-08 22:23 . 2009-07-09 23:15 -------- dc-h--w- l:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-08 22:23 . 2009-03-12 08:17 2902048 -c--a-w- l:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-07-08 22:23 . 2009-07-09 22:34 -------- d-----w- l:\documents and settings\All Users\Application Data\Lavasoft
2009-07-08 22:11 . 2009-07-08 22:11 -------- d-----w- l:\program files\Trend Micro
2009-07-07 16:56 . 2009-07-07 16:56 -------- d-sh--w- l:\windows\system32\config\systemprofile\IETldCache
2009-07-07 16:27 . 2009-07-07 16:27 -------- d-----w- l:\program files\VideoLAN
2009-07-07 16:22 . 2009-07-07 16:23 -------- d-----w- l:\documents and settings\jrod\Application Data\DivX
2009-07-07 16:17 . 2009-07-07 16:18 -------- d-----w- l:\program files\DivX
2009-07-07 16:17 . 2009-07-07 16:17 -------- d-----w- l:\program files\Common Files\DivX Shared
2009-07-05 18:18 . 2009-07-05 18:18 -------- d-----w- l:\documents and settings\jrod\Application Data\InstallShield
2009-07-05 18:18 . 2009-07-09 22:34 -------- dc----w- l:\windows\system32\DRVSTORE
2009-07-05 18:18 . 2009-07-05 18:18 -------- d-----w- l:\program files\Common Files\Remote Control USB Driver
2009-07-05 18:15 . 2009-07-05 21:46 -------- d-----w- l:\documents and settings\jrod\Logitech
2009-07-05 18:14 . 2009-07-05 18:18 -------- d-----w- l:\program files\Common Files\Remote Control Software Shared
2009-06-28 19:23 . 2009-06-28 19:23 -------- d-----w- l:\program files\uTorrent
2009-06-28 19:23 . 2009-07-07 16:59 -------- d-----w- l:\documents and settings\jrod\Application Data\uTorrent
2009-06-25 00:18 . 2009-06-25 00:18 -------- d-----w- l:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-06-24 23:59 . 2009-06-24 23:59 -------- d-sh--w- l:\documents and settings\LocalService\IETldCache
2009-06-24 23:57 . 2009-06-24 23:57 -------- d-----w- l:\program files\Microsoft Silverlight
2009-06-24 23:57 . 2009-06-24 23:57 -------- d-----w- l:\documents and settings\jrod\Application Data\Windows Desktop Search
2009-06-24 23:56 . 2009-06-25 00:40 -------- d-----w- l:\program files\Windows Desktop Search
2009-06-24 23:56 . 2009-06-24 23:56 -------- d-----w- l:\windows\system32\GroupPolicy
2009-06-24 23:56 . 2008-03-07 17:02 98304 -c----w- l:\windows\system32\dllcache\nlhtml.dll
2009-06-24 23:56 . 2008-03-07 17:02 29696 -c----w- l:\windows\system32\dllcache\mimefilt.dll
2009-06-24 23:56 . 2008-03-07 17:02 192000 -c----w- l:\windows\system32\dllcache\offfilt.dll
2009-06-23 23:58 . 2009-02-12 09:35 38208 ----a-w- l:\documents and settings\jrod\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-06-23 23:58 . 2009-06-23 23:58 -------- d-----w- l:\program files\Common Files\Adobe AIR
2009-06-23 23:57 . 2009-06-24 21:51 -------- d-----w- l:\documents and settings\jrod\Local Settings\Application Data\Adobe
2009-06-23 23:57 . 2009-06-23 23:57 86016 ----a-w- l:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-06-23 23:57 . 2009-06-25 11:39 -------- d-----w- l:\documents and settings\All Users\Application Data\NOS
2009-06-23 23:57 . 2009-06-25 11:39 -------- d-----w- l:\program files\NOS
2009-06-23 23:47 . 2009-06-23 23:47 -------- d-sh--w- l:\documents and settings\jrod\IECompatCache
2009-06-23 23:47 . 2009-06-23 23:47 -------- d-sh--w- l:\documents and settings\jrod\PrivacIE
2009-06-23 22:52 . 2009-06-23 22:52 -------- d-sh--w- l:\documents and settings\NetworkService\IETldCache
2009-06-23 22:52 . 2009-07-08 23:20 -------- d-sh--w- l:\documents and settings\jrod\IETldCache
2009-06-23 22:45 . 2009-07-08 11:02 -------- d-----w- l:\documents and settings\jrod\Local Settings\Application Data\LastPass
2009-06-23 22:45 . 2008-12-04 05:25 120832 ----a-w- l:\documents and settings\jrod\Application Data\Mozilla\Firefox\Profiles\w28vmj5y.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-06-23 22:45 . 2009-06-09 18:18 575488 ----a-w- l:\documents and settings\jrod\Application Data\Mozilla\Firefox\Profiles\w28vmj5y.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
2009-06-23 22:39 . 2009-06-23 22:39 -------- d-----w- l:\windows\system32\XPSViewer
2009-06-23 22:39 . 2009-06-23 22:39 -------- d-----w- l:\program files\Reference Assemblies
2009-06-23 22:38 . 2008-07-06 12:06 89088 -c----w- l:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-23 22:38 . 2008-07-06 12:06 575488 -c----w- l:\windows\system32\dllcache\xpsshhdr.dll
2009-06-23 22:38 . 2008-07-06 12:06 575488 ------w- l:\windows\system32\xpsshhdr.dll
2009-06-23 22:38 . 2008-07-06 12:06 1676288 -c----w- l:\windows\system32\dllcache\xpssvcs.dll
2009-06-23 22:38 . 2008-07-06 12:06 1676288 ------w- l:\windows\system32\xpssvcs.dll
2009-06-23 22:38 . 2008-07-06 12:06 117760 ------w- l:\windows\system32\prntvpt.dll
2009-06-23 22:38 . 2008-07-06 10:50 597504 -c----w- l:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-23 22:38 . 2009-06-23 22:38 -------- d-----w- L:\9672be943e3e3a2093f98cf9a6ca75
2009-06-23 22:25 . 2009-06-02 10:12 102912 -c----w- l:\windows\system32\dllcache\iecompat.dll
2009-06-23 22:25 . 2009-06-23 22:25 -------- d-----w- l:\windows\ie8updates
2009-06-23 22:25 . 2009-04-30 21:22 12800 -c----w- l:\windows\system32\dllcache\xpshims.dll
2009-06-23 22:25 . 2009-04-30 21:22 1985024 -c----w- l:\windows\system32\dllcache\iertutil.dll
2009-06-23 22:25 . 2009-04-30 21:22 11064832 -c----w- l:\windows\system32\dllcache\ieframe.dll
2009-06-23 22:25 . 2009-04-30 21:22 246272 -c----w- l:\windows\system32\dllcache\ieproxy.dll
2009-06-23 22:24 . 2009-06-23 22:24 -------- dc-h--w- l:\windows\ie8
2009-06-22 21:47 . 2009-06-22 21:47 -------- d-----w- l:\documents and settings\All Users\Application Data\HP Product Assistant
2009-06-21 20:41 . 2008-10-16 18:06 268648 ----a-w- l:\windows\system32\mucltui.dll
2009-06-21 18:25 . 2009-06-21 18:25 -------- d-----w- l:\windows\system32\scripting
2009-06-21 18:25 . 2009-06-21 18:25 -------- d-----w- l:\windows\l2schemas
2009-06-21 18:25 . 2009-06-21 18:25 -------- d-----w- l:\windows\system32\en
2009-06-20 19:38 . 2009-06-20 19:39 -------- d-----w- l:\documents and settings\jrod\Application Data\HP
2009-06-20 19:37 . 2009-06-20 19:37 -------- d-----w- l:\documents and settings\All Users\Application Data\HP
2009-06-20 19:36 . 2009-06-20 19:37 -------- d-----w- l:\program files\Common Files\HP
2009-06-20 19:35 . 2009-06-20 19:35 -------- d-----w- l:\program files\Hewlett-Packard
2009-06-20 19:34 . 2009-06-20 19:34 -------- d-----w- l:\program files\Common Files\Hewlett-Packard
2009-06-20 19:33 . 2006-04-10 18:03 38400 ----a-w- l:\windows\system32\hpz3l054.dll
2009-06-20 19:33 . 2008-04-13 18:45 15104 ----a-w- l:\windows\system32\drivers\usbscan.sys
2009-06-20 19:33 . 2006-03-04 01:02 204800 ----a-w- l:\windows\system32\HPZipr12.dll
2009-06-20 19:33 . 2006-03-04 01:02 94208 ----a-w- l:\windows\system32\HPZipt12.dll
2009-06-20 19:33 . 2006-03-04 01:02 57344 ----a-w- l:\windows\system32\HPZisn12.dll
2009-06-20 19:33 . 2007-08-09 07:27 73728 ----a-w- l:\windows\system32\HPZipm12.exe
2009-06-20 19:33 . 2006-03-04 01:03 282680 ----a-w- l:\windows\system32\HPZidr12.dll
2009-06-20 19:33 . 2006-03-04 01:03 65536 ----a-w- l:\windows\system32\HPZinw12.exe
2009-06-20 19:32 . 2009-06-22 21:48 -------- d-----w- l:\program files\HP
2009-06-20 19:27 . 2009-06-20 19:39 117158 ----a-w- l:\windows\hpoins11.dat
2009-06-20 19:27 . 2006-04-13 00:04 49664 ----a-w- l:\windows\system32\drivers\HPZid412.sys
2009-06-20 19:27 . 2006-04-13 00:04 21568 ----a-w- l:\windows\system32\drivers\HPZius12.sys
2009-06-20 19:27 . 2006-04-13 00:04 16496 ----a-w- l:\windows\system32\drivers\HPZipr12.sys
2009-06-20 19:25 . 2006-04-13 00:02 659456 ----a-w- l:\windows\system32\hpowiax2.dll
2009-06-20 19:25 . 2006-04-13 00:02 827392 ----a-w- l:\windows\system32\hpotiop2.dll
2009-06-20 19:25 . 2006-04-13 00:04 282624 ----a-w- l:\windows\system32\HPZc3212.dll
2009-06-20 19:25 . 2006-04-13 00:02 254026 ----a-w- l:\windows\system32\hpovst09.dll
2009-06-20 19:25 . 2006-01-04 08:12 77824 ----a-w- l:\windows\system32\HPZIDS01.dll
2009-06-20 19:25 . 2005-07-19 01:38 98304 ----a-w- l:\windows\system32\hpzjsn01.dll
2009-06-20 19:24 . 2006-05-05 23:17 11634 ----a-w- l:\windows\hpomdl11.dat
2009-06-20 17:42 . 2009-06-20 17:42 -------- d-----w- l:\documents and settings\All Users\Application Data\LogiShrd
2009-06-20 17:40 . 2009-02-19 04:26 301656 ----a-w- l:\windows\system32\BtCoreIf.dll
2009-06-20 17:40 . 2009-02-19 04:27 84496 ----a-w- l:\windows\system32\KemXML.dll
2009-06-20 17:40 . 2009-02-19 04:27 117264 ----a-w- l:\windows\system32\KemWnd.dll
2009-06-20 17:40 . 2009-02-19 04:27 145936 ----a-w- l:\windows\system32\KemUtil.dll
2009-06-20 17:40 . 2009-02-19 04:27 170512 ----a-w- l:\windows\system32\kemutb.dll
2009-06-20 17:40 . 2009-06-20 17:40 -------- d-----w- l:\documents and settings\All Users\Application Data\Logitech
2009-06-20 17:40 . 2009-06-20 17:40 -------- d-----w- l:\program files\Common Files\Logishrd
2009-06-20 17:15 . 2008-04-14 00:12 26624 ----a-w- l:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-06-20 17:03 . 2009-06-20 17:08 -------- d-----w- L:\smut
2009-06-20 17:02 . 2009-06-20 17:02 -------- d-----w- l:\documents and settings\LocalService\Application Data\Roxio
2009-06-20 17:02 . 2009-07-06 22:39 -------- d-----w- l:\documents and settings\jrod\Application Data\Roxio
2009-06-20 12:01 . 2009-06-20 12:01 -------- d-----w- l:\program files\MSXML 4.0
2009-06-20 08:54 . 2008-04-14 00:11 61440 ------w- l:\windows\system32\kmsvc.dll
2009-06-20 08:34 . 2008-06-13 11:05 272128 -c----w- l:\windows\system32\dllcache\bthport.sys
2009-06-20 08:33 . 2009-03-06 14:22 284160 -c----w- l:\windows\system32\dllcache\pdh.dll
2009-06-20 08:33 . 2009-02-09 12:10 473600 -c----w- l:\windows\system32\dllcache\fastprox.dll
2009-06-20 08:33 . 2009-02-09 12:10 401408 -c----w- l:\windows\system32\dllcache\rpcss.dll
2009-06-20 08:33 . 2009-02-06 11:11 110592 -c----w- l:\windows\system32\dllcache\services.exe
2009-06-20 08:33 . 2009-02-09 12:10 729088 -c----w- l:\windows\system32\dllcache\lsasrv.dll
2009-06-20 08:33 . 2009-02-09 12:10 453120 -c----w- l:\windows\system32\dllcache\wmiprvsd.dll
2009-06-20 08:33 . 2009-02-06 10:10 227840 -c----w- l:\windows\system32\dllcache\wmiprvse.exe
2009-06-20 08:33 . 2009-02-09 12:10 714752 -c----w- l:\windows\system32\dllcache\ntdll.dll
2009-06-20 08:33 . 2009-02-09 12:10 617472 -c----w- l:\windows\system32\dllcache\advapi32.dll
2009-06-20 08:33 . 2009-02-06 11:06 2145280 -c----w- l:\windows\system32\dllcache\ntkrnlmp.exe
2009-06-20 08:33 . 2009-02-06 11:08 2189056 -c----w- l:\windows\system32\dllcache\ntoskrnl.exe
2009-06-20 08:33 . 2009-02-06 10:32 2023936 -c----w- l:\windows\system32\dllcache\ntkrpamp.exe
2009-06-20 08:32 . 2008-05-08 14:02 203136 -c----w- l:\windows\system32\dllcache\rmcast.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 18:30 . 2009-06-19 01:03 86327 ----a-w- l:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-06-20 17:41 . 2009-06-20 17:41 0 ---ha-w- l:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-06-20 17:41 . 2009-06-20 17:41 0 ---ha-w- l:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-06-20 17:41 . 2009-06-20 17:41 0 ---ha-w- l:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2009-06-20 17:41 . 2009-06-20 17:41 0 ---ha-w- l:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-19 01:04 . 2009-06-19 01:04 -------- d-----w- l:\program files\microsoft frontpage
2009-06-19 01:01 . 2009-06-19 01:01 21640 ----a-w- l:\windows\system32\emptyregdb.dat
2009-05-25 04:24 . 2008-05-27 02:18 350208 ----a-w- l:\windows\system32\mssph.dll
2009-05-13 05:15 . 2006-06-23 15:33 915456 ----a-w- l:\windows\system32\wininet.dll
2009-05-07 15:32 . 2002-08-29 07:41 345600 ----a-w- l:\windows\system32\localspl.dll
2009-05-01 21:02 . 2009-05-01 21:02 90112 ----a-w- l:\windows\system32\dpl100.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- l:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- l:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- l:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- l:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- l:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- l:\windows\system32\DivX.dll
2009-04-17 12:26 . 2002-08-29 06:14 1847168 ----a-w- l:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- l:\windows\system32\rpcrt4.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- l:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- l:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="l:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="l:\documents and settings\jrod\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-19 133104]
"ctfmon.exe"="l:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ccleaner"="l:\program files\CCleaner\CCleaner.exe" [2009-06-25 1578736]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="l:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-22 1948440]
"Smapp"="l:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"StartCCC"="l:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"RoxWatchTray"="l:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"HP Software Update"="l:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"GrooveMonitor"="l:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="l:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="l:\program files\Java\jre6\bin\jusched.exe" [2009-07-10 148888]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - l:\windows\KHALMNPR.Exe [2008-12-19 76304]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - l:\windows\KHALMNPR.Exe [2008-12-19 76304]
l:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - l:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Logitech SetPoint.lnk - l:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-20 809488]
Windows Search.lnk - l:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "l:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-19 04:30 72208 ----a-w- l:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-22 13:54 11952 ----a-w- l:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"l:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"l:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"l:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"l:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"l:\\Program Files\\Common Files\\Roxio Shared\\10.0\\SharedCOM\\RoxLiveShare10.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"l:\\Program Files\\uTorrent\\uTorrent.exe"=
"l:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"l:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"l:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"l:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"l:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"l:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"l:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"l:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"l:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"l:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"l:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"l:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"l:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"l:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"l:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"l:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"l:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"l:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"l:\\WINDOWS\\system32\\sessmgr.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;l:\windows\system32\drivers\avgldx86.sys [6/19/2009 5:27 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;l:\windows\system32\drivers\avgtdix.sys [6/19/2009 5:27 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;l:\progra~1\AVG\AVG8\avgemc.exe [6/19/2009 5:27 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;l:\progra~1\AVG\AVG8\avgwdsvc.exe [6/19/2009 5:27 PM 298776]
R2 RoxLiveShare10;LiveShare P2P Server 10;l:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 3:52 PM 309744]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;l:\windows\system32\drivers\AtiHdmi.sys [7/20/2007 6:40 PM 84992]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;l:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 3:53 PM 362992]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;l:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 3:52 PM 166384]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;l:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 3:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;l:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 3:52 PM 1083888]
S4 SessionLauncher;SessionLauncher;l:\docume~1\jrod\LOCALS~1\Temp\DX9\SessionLauncher.exe --> l:\docume~1\jrod\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"l:\windows\system32\rundll32.exe" "l:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-07-11 l:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1202660629-725345543-1003Core.job
- l:\documents and settings\jrod\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-19 21:36]
2009-07-11 l:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1202660629-725345543-1003UA.job
- l:\documents and settings\jrod\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-19 21:36]
.
.
------- Supplementary Scan -------
.
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
FF - ProfilePath - l:\documents and settings\jrod\Application Data\Mozilla\Firefox\Profiles\o469qpv0.default\
FF - prefs.js: browser.startup.homepage - hxxps://addons.mozilla.org/en-US/firefox/|http://www.google.com/ig?hl=en&source=iglk
FF - plugin: l:\documents and settings\jrod\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: l:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - l:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - l:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truel:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
l:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
l:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
l:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
l:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
l:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
l:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
l:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
l:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
l:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
l:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
l:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
l:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
l:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
l:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
l:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
l:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
l:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
l:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
l:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-11 11:12
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
l:\windows\system32\Ati2evxx.dll
l:\program files\common files\logitech\bluetooth\LBTWlgn.dll
l:\program files\common files\logitech\bluetooth\LBTServ.dll
- - - - - - - > 'explorer.exe'(3080)
l:\windows\system32\WININET.dll
l:\program files\Logitech\SetPoint\lgscroll.dll
l:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
l:\windows\system32\ieframe.dll
l:\windows\system32\webcheck.dll
l:\windows\system32\WPDShServiceObj.dll
l:\windows\system32\PortableDeviceTypes.dll
l:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-11 11:14
ComboFix-quarantined-files.txt 2009-07-11 15:14
ComboFix2.txt 2009-07-11 14:58
Pre-Run: 54,332,719,104 bytes free
Post-Run: 54,327,730,176 bytes free
326 --- E O F --- 2009-06-24 12:03
HighJack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:18 AM, on 7/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
L:\WINDOWS\System32\smss.exe
L:\WINDOWS\system32\winlogon.exe
L:\WINDOWS\system32\services.exe
L:\WINDOWS\system32\lsass.exe
L:\WINDOWS\system32\Ati2evxx.exe
L:\WINDOWS\system32\svchost.exe
L:\WINDOWS\System32\svchost.exe
L:\WINDOWS\system32\Ati2evxx.exe
L:\WINDOWS\system32\spoolsv.exe
L:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
L:\WINDOWS\System32\svchost.exe
L:\Program Files\Java\jre6\bin\jqs.exe
L:\PROGRA~1\AVG\AVG8\avgrsx.exe
L:\WINDOWS\system32\HPZipm12.exe
L:\PROGRA~1\AVG\AVG8\avgnsx.exe
L:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
L:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
L:\WINDOWS\System32\svchost.exe
L:\PROGRA~1\AVG\AVG8\avgemc.exe
L:\WINDOWS\system32\SearchIndexer.exe
L:\Program Files\AVG\AVG8\avgcsrvx.exe
L:\Program Files\Analog Devices\SoundMAX\SMTray.exe
L:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
L:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
L:\Program Files\HP\HP Software Update\HPWuSchd2.exe
L:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
L:\Program Files\Java\jre6\bin\jusched.exe
L:\WINDOWS\system32\ctfmon.exe
L:\Documents and Settings\jrod\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
L:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
L:\Program Files\Logitech\SetPoint\SetPoint.exe
L:\Program Files\Windows Desktop Search\WindowsSearch.exe
L:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
L:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
L:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
L:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
L:\WINDOWS\system32\wscntfy.exe
L:\WINDOWS\explorer.exe
L:\WINDOWS\system32\notepad.exe
L:\WINDOWS\system32\SearchProtocolHost.exe
L:\Program Files\Trend Micro\HijackThis\HijackThis55545.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - L:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - L:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - L:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - L:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - L:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] L:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Smapp] L:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [StartCCC] "L:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RoxWatchTray] "L:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] L:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "L:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "L:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "L:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "L:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "L:\Documents and Settings\jrod\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] L:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "L:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - Global Startup: HP Digital Imaging Monitor.lnk = L:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = L:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Search.lnk = L:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - L:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - L:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - L:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - L:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - L:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - L:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - L:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245375514173
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245609854921
O20 - Winlogon Notify: avgrsstarter - L:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - L:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - L:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - L:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - L:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - L:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - L:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Pml Driver HPZ12 - HP - L:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - L:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - L:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - L:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - L:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - L:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - L:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 7715 bytes
Logs look good :bigthumb:
Lets update your Java to make your system more secure
Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 6 Update 14, if not proceed with the instructions.
Download the latest version Here (http://java.sun.com/javase/downloads/index.jsp) save it, do not install it yet.
Java SE Runtime Environment (JRE)JRE 6 Update 14 <--The wording is confusing but this is what you need
Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version
You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)
Let me point this out about P2P (File Sharing Programs )as I see you have uTorrent installed. Using file sharing programs are like playing Russian Roulette Malwarewise. You never know whats attached to that music file or whatever you use it for. I would never allow any programs like that on any of my systems.
We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.
Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.
We do not ask you to do this without reason.
P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realize. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.
Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
How are things running now???
Ken
chipecan
2009-07-11, 20:51
Java was updated to 6.14 and I will be taking your advice and removing uTorrent....I was running just fine for over two years and when I read your suggestion on removing the P2P I realized all my problems started shortly after getting back into torrent files.
Thanks again for all your help, your guys are amazing with the support you provide!!!!!
Your very welcome:bigthumb:
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.