View Full Version : Personal Anitvirus
While surfing around a suspicious pop-up appeared stating something along the lines of "You may be infected" and was disregarded. Since then, Trend Micros RUBotted has given notifications of "Bot found", occasional pop-ups from "Microsoft Visual C++ Library, Debug Assertion Failed!", and clean your computer with "Personal Antivirus" (while online) have been spontaneously appearing. Installed and ran Kaspersky Internet Security 2009 as well as Malewarebytes but, evidently, to no avail. Other than those stated above, no other problems or performance issues have been noticed. The HJT log is below.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:09 AM, on 7/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://lic.music.msn.com
O15 - Trusted Zone: http://music.msn.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1118279043140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125928240390
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} (MsneDiag Class) - http://entimg.msn.com/client/msnediag4507.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax4507.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - http://www.spcollege.edu/webcentral/templates/MYSPC_square.JPG
--
End of file - 10389 bytes
pskelley
2009-07-19, 13:47
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You must have read and followed the "Before you Post" instructions.
I am not sure if you have a malware problem or not? When you post error messages, they must be word for word, this message:
Microsoft Visual C++ Library, Debug Assertion Failed returns this information:
http://www.google.com/search?hl=en&q=Microsoft+Visual+C%2B%2B+Library%2C+Debug+Assertion+Failed&btnG=Google+Search&aq=f&oq=&aqi=
Appears you missed at least some of the directions, HJT is not located safely. Follow these directions to fix this:
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log. <<< close HJT until I ask for a log.
Let's look first with the programs you have onboard.
Trend Micro™ RUBotted (Beta)
This scan is new to me, scan the system and post the results so I can view them.
Kaspersky Internet Security
Scan the system and post the results.
Malwarebytes' Anti-Malware
update to at least Version 1.39 (Database 2462 7/18/2009)
perform a full scan, remove anything found and post the resulting log.
Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Thanks
The RUBotted does not scan. I just notifies of potential "bots". The message it gives is "Detected DNS query of malicious domain." A scan with Trend Micro House Call is then recommended.
The Kaspersky log is below.
Full Scan: completed 7/19/2009 12:17:02 PM (events: 37, objects: 319816, time: 01:07:44)
7/5/2009 7:19:59 PM Task completed
7/5/2009 7:17:57 PM Task started
Full Scan: completed 7/19/2009 12:17:02 PM (events: 37, objects: 319816, time: 01:07:44)
7/5/2009 7:39:21 PM Task stopped
7/5/2009 7:28:54 PM Detected: http://www.viruslist.com/en/advisories/27620 c:\program files\real\realplayer\realplay.exe
7/5/2009 7:28:54 PM Detected: http://www.viruslist.com/en/advisories/35091 c:\program files\quicktime\quicktimeplayer.exe
7/5/2009 7:28:54 PM Detected: http://www.viruslist.com/en/advisories/35331 c:\program files\mozilla firefox\firefox.exe
7/5/2009 7:28:53 PM Detected: http://www.viruslist.com/en/advisories/26201 c:\program files\adobe\acrobat 6.0\reader\acrord32.exe
7/5/2009 7:28:36 PM Task started
Full Scan: completed 7/19/2009 12:17:02 PM (events: 37, objects: 319816, time: 01:07:44)
7/5/2009 7:39:38 PM Task completed
7/5/2009 7:39:26 PM Task started
Full Scan: completed 7/19/2009 12:17:02 PM (events: 37, objects: 319816, time: 01:07:44)
7/5/2009 7:59:39 PM Task started
7/5/2009 7:59:50 PM Task completed
Full Scan: completed 7/19/2009 12:17:02 PM (events: 37, objects: 319816, time: 01:07:44)
7/5/2009 9:04:14 PM Task completed
7/5/2009 9:04:13 PM Deleted: Trojan-Downloader.Java.OpenStream.ac c:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\25\1d9a4d9-690f2f77/OP.class
7/5/2009 9:04:13 PM Detected: Trojan-Downloader.Java.OpenStream.ac c:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\25\1d9a4d9-690f2f77/OP.class
7/5/2009 9:04:13 PM Deleted: Trojan-Downloader.WMA.Wimad.n c:\RECYCLER\S-1-5-21-2256005447-4013739996-1601439885-1009\Dc91.wma
7/5/2009 9:04:13 PM Detected: Trojan-Downloader.WMA.Wimad.n c:\RECYCLER\S-1-5-21-2256005447-4013739996-1601439885-1009\Dc91.wma
7/5/2009 9:04:13 PM Deleted: Exploit.Java.ByteVerify c:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\20\7af974d4-1dd19d5e
7/5/2009 9:04:00 PM Detected: Exploit.Java.ByteVerify c:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\20\7af974d4-1dd19d5e
7/5/2009 8:59:43 PM Detected: http://www.viruslist.com/en/advisories/23655 c:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
7/5/2009 8:59:43 PM Detected: http://www.viruslist.com/en/advisories/23655 c:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\msxml4.dll
7/5/2009 8:59:41 PM Detected: http://www.viruslist.com/en/advisories/23655 c:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9839.0_x-ww_ed80bd5c\msxml4.dll
7/5/2009 8:59:41 PM Detected: http://www.viruslist.com/en/advisories/23655 c:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
7/5/2009 8:59:41 PM Detected: http://www.viruslist.com/en/advisories/23655 c:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b319d8da\msxml4.dll
7/5/2009 8:57:51 PM Detected: http://www.viruslist.com/en/advisories/32270 c:\WINDOWS\system32\FLASH.OCX
7/5/2009 8:43:46 PM Untreated: Trojan-Downloader.WMA.Wimad.n c:\RECYCLER\S-1-5-21-2256005447-4013739996-1601439885-1009\Dc91.wma Postponed
7/5/2009 8:43:46 PM Detected: Trojan-Downloader.WMA.Wimad.n c:\RECYCLER\S-1-5-21-2256005447-4013739996-1601439885-1009\Dc91.wma
7/5/2009 8:40:24 PM Detected: http://www.viruslist.com/en/advisories/27620 c:\program files\real\realplayer\realplay.exe
7/5/2009 8:40:16 PM Detected: http://www.viruslist.com/en/advisories/35091 c:\program files\quicktime\quicktimeplayer.exe
7/5/2009 8:39:20 PM Detected: http://www.viruslist.com/en/advisories/35331 c:\program files\mozilla firefox\firefox.exe
7/5/2009 8:31:38 PM Detected: http://www.viruslist.com/en/advisories/23233 c:\program files\Common Files\Adobe\ESD\AdobeDownloadManager.exe
7/5/2009 8:28:49 PM Detected: http://www.viruslist.com/en/advisories/34580 c:\program files\adobe\Acrobat 7.0\Acrobat\plug_ins\Annots.api
7/5/2009 8:28:13 PM Detected: http://www.viruslist.com/en/advisories/26201 c:\program files\adobe\acrobat 6.0\reader\AcroRd32.bak
7/5/2009 8:27:55 PM Detected: http://www.viruslist.com/en/advisories/26201 c:\program files\adobe\acrobat 6.0\reader\acrord32.exe
7/5/2009 8:27:46 PM Detected: http://www.viruslist.com/en/advisories/32270 c:\hp\recovery\wizard\SWR_Wizard.exe/iMUL
7/5/2009 8:06:54 PM Untreated: Trojan-Downloader.Java.OpenStream.ac c:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\25\1d9a4d9-690f2f77/OP.class Postponed
7/5/2009 8:06:54 PM Detected: Trojan-Downloader.Java.OpenStream.ac c:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\25\1d9a4d9-690f2f77/OP.class
7/5/2009 8:06:53 PM Untreated: Exploit.Java.ByteVerify c:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\20\7af974d4-1dd19d5e Postponed
7/5/2009 8:06:53 PM Detected: Exploit.Java.ByteVerify c:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\20\7af974d4-1dd19d5e
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride2.zip/sbRecovery.ini
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride2.zip/sbRecovery.reg
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride1.zip/sbRecovery.ini
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride1.zip/sbRecovery.reg
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride.zip/sbRecovery.ini
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride.zip/sbRecovery.reg
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip/sbRecovery.ini
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip/Pynix.dll
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip/sbRecovery.ini
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip/dlmax.dll
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip/sbRecovery.ini
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip/alexaie.dll
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip/sbRecovery.ini
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip/questmod.dll
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip/sbRecovery.ini
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip/udpmod.dll
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip/sbRecovery.ini
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip/runsrv32.dll
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip/sbRecovery.ini
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip/txfdb32.dll
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip/sbRecovery.ini
7/5/2009 8:04:38 PM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip/runsrv32.exe
7/5/2009 8:04:26 PM Task started
7/5/2009 8:04:21 PM Task stopped
7/5/2009 8:04:16 PM Task started
Full Scan: completed 7/19/2009 12:17:02 PM (events: 37, objects: 319816, time: 01:07:44)
7/6/2009 8:22:23 PM Task completed
7/6/2009 8:18:09 PM Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
7/6/2009 8:18:09 PM Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\msxml4.dll
7/6/2009 8:18:07 PM Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
7/6/2009 8:18:07 PM Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9839.0_x-ww_ed80bd5c\msxml4.dll
7/6/2009 8:18:07 PM Detected: http://www.viruslist.com/en/advisories/23655 C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b319d8da\msxml4.dll
7/6/2009 8:16:02 PM Detected: http://www.viruslist.com/en/advisories/32270 C:\WINDOWS\system32\FLASH.OCX
7/6/2009 7:59:21 PM Detected: http://www.viruslist.com/en/advisories/35091 C:\Program Files\QuickTime\QuickTimePlayer.exe
7/6/2009 7:50:16 PM Detected: http://www.viruslist.com/en/advisories/23233 C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe
7/6/2009 7:47:03 PM Detected: http://www.viruslist.com/en/advisories/26201 C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.bak
7/6/2009 7:46:32 PM Detected: http://www.viruslist.com/en/advisories/32270 C:\hp\recovery\wizard\SWR_Wizard.exe/iMUL
7/6/2009 7:20:56 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride2.zip/sbRecovery.ini
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride2.zip/sbRecovery.reg
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride1.zip/sbRecovery.ini
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride1.zip/sbRecovery.reg
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride.zip/sbRecovery.ini
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride.zip/sbRecovery.reg
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip/sbRecovery.ini
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip/Pynix.dll
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip/sbRecovery.ini
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip/dlmax.dll
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip/sbRecovery.ini
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip/alexaie.dll
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip/sbRecovery.ini
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip/questmod.dll
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip/sbRecovery.ini
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip/udpmod.dll
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip/sbRecovery.ini
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip/runsrv32.dll
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip/sbRecovery.ini
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip/txfdb32.dll
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip/sbRecovery.ini
7/6/2009 7:20:55 PM Password protected C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip/runsrv32.exe
7/6/2009 7:19:47 PM Task started
Full Scan: completed 7/19/2009 12:17:02 PM (events: 37, objects: 319816, time: 01:07:44)
7/19/2009 11:09:18 AM Task started
7/19/2009 11:10:15 AM Detected: http://www.viruslist.com/en/advisories/35798 c:\program files\mozilla firefox\firefox.exe
7/19/2009 11:10:19 AM Detected: http://www.viruslist.com/en/advisories/35091 c:\program files\quicktime\quicktimeplayer.exe
7/19/2009 11:21:10 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip/runsrv32.exe
7/19/2009 11:21:10 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip/sbRecovery.ini
7/19/2009 11:21:10 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip/txfdb32.dll
7/19/2009 11:21:10 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip/sbRecovery.ini
7/19/2009 11:21:10 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip/runsrv32.dll
7/19/2009 11:21:10 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip/sbRecovery.ini
7/19/2009 11:21:10 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip/udpmod.dll
7/19/2009 11:21:10 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip/sbRecovery.ini
7/19/2009 11:21:10 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip/questmod.dll
7/19/2009 11:21:11 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip/sbRecovery.ini
7/19/2009 11:21:11 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip/alexaie.dll
7/19/2009 11:21:11 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip/sbRecovery.ini
7/19/2009 11:21:11 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip/dlmax.dll
7/19/2009 11:21:11 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip/sbRecovery.ini
7/19/2009 11:21:11 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip/Pynix.dll
7/19/2009 11:21:11 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip/sbRecovery.ini
7/19/2009 11:21:11 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride.zip/sbRecovery.reg
7/19/2009 11:21:11 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride.zip/sbRecovery.ini
7/19/2009 11:21:11 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride1.zip/sbRecovery.reg
7/19/2009 11:21:11 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride1.zip/sbRecovery.ini
7/19/2009 11:21:11 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride2.zip/sbRecovery.reg
7/19/2009 11:21:11 AM Password protected c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride2.zip/sbRecovery.ini
7/19/2009 11:42:11 AM Detected: http://www.viruslist.com/en/advisories/32270 c:\hp\recovery\wizard\SWR_Wizard.exe/iMUL
7/19/2009 11:42:34 AM Detected: http://www.viruslist.com/en/advisories/26201 c:\program files\Adobe\Acrobat 6.0\Reader\AcroRd32.bak
7/19/2009 11:45:35 AM Detected: http://www.viruslist.com/en/advisories/23233 c:\program files\Common Files\Adobe\ESD\AdobeDownloadManager.exe
7/19/2009 11:52:51 AM Detected: http://www.viruslist.com/en/advisories/35798 c:\program files\mozilla firefox\firefox.exe
7/19/2009 11:53:37 AM Detected: http://www.viruslist.com/en/advisories/35091 c:\program files\quicktime\quicktimeplayer.exe
7/19/2009 12:11:26 PM Detected: http://www.viruslist.com/en/advisories/32270 c:\WINDOWS\system32\FLASH.OCX
7/19/2009 12:13:08 PM Detected: http://www.viruslist.com/en/advisories/23655 c:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9839.0_x-ww_ed80bd5c\msxml4.dll
7/19/2009 12:13:08 PM Detected: http://www.viruslist.com/en/advisories/23655 c:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b319d8da\msxml4.dll
7/19/2009 12:13:08 PM Detected: http://www.viruslist.com/en/advisories/23655 c:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
7/19/2009 12:13:09 PM Detected: http://www.viruslist.com/en/advisories/23655 c:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
7/19/2009 12:13:10 PM Detected: http://www.viruslist.com/en/advisories/23655 c:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\msxml4.dll
7/19/2009 12:17:02 PM Task completed
Malwarebyte's found no issues and the log is below:
Malwarebytes' Anti-Malware 1.39
Database version: 2462
Windows 5.1.2600 Service Pack 3
7/19/2009 1:13:19 PM
mbam-log-2009-07-19 (13-13-19).txt
Scan type: Full Scan (C:\|)
Objects scanned: 198663
Time elapsed: 39 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Here is the Uninstall list from HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:09 AM, on 7/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://lic.music.msn.com
O15 - Trusted Zone: http://music.msn.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1118279043140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125928240390
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} (MsneDiag Class) - http://entimg.msn.com/client/msnediag4507.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax4507.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - http://www.spcollege.edu/webcentral/templates/MYSPC_square.JPG
--
End of file - 10389 bytes
Here is the exact wording for the previously mentioned notification. I also have a screen shot if what would be of assistance.
Microsoft Visual C++ Debug Library
Debug Assertion Failed!
Program :C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
File: c:\programs files\microsoft visual studio .net 2003 vc7\atlmfc\include\atlfile.h
Line: 188
Expression: m_h!=0
For information on how your program can cause an assertion failure, see the Visual C++ documentation on asserts.
Then the option are Abort, Retry, or Ignore.
Also, within the past hour, I have received the same Antivirus notification on both of my laptops which are NOT connected to this desktop via network. I can only imagine it is spreading through email? Perhaps that is how this problem started in the first place?
I almost forgot, my laptop with Symantec gave the notification message with the name of Trojan.FakeAVAlert as the issue. I am a little disappointed and concerned that Kaspersky appears to has done nothing about this problem.
pskelley
2009-07-19, 20:38
You have a bit of a mess here and I personally don't think it has anything to do with malware. I will do what I can to provide some guidence, but this could take a while.
Let's start with this message:
Microsoft Visual C++ Debug Library Debug Assertion Failed!
I can not allocate the time to read this for you.
http://www.google.com/search?hl=en&q=Microsoft+Visual+C%2B%2B+Debug+Library+Debug+Assertion+Failed%21&btnG=Google+Search&aq=f&oq=&aqi=
This tell you where the problem is:
Program :C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
File: c:\programs files\microsoft visual studio .net 2003 vc7\atlmfc\include\atlfile.h
Line: 188
Expression: m_h!=0
http://www.bleepingcomputer.com/startups/lsburnwatcher.exe-10048.html <<< see this
You can turn off that item in MSConfig and see if the message stops, this is out of my area of expertise and if that does not work, I suggest you consult Microsoft Technical Support for advice.
http://support.microsoft.com/
Trend Micro™ RUBotted (Beta)
What is a Beta?
The term "beta" refers to a piece of software or web application that's still being developed.
I would think you should return information about beta finding to TM for their assessment, without the name of an actual file or the location of the infection, not much I can say.
Kaspersky Scan:
The items with links in the results are information for you, please click each link to see that information.
Example: 7/5/2009 7:28:54 PM Detected: See this >> http://www.viruslist.com/en/advisories/27620 c:\program files\real\realplayer\realplay.exe
You do have an infected Java cache, clean it like this:
http://java.com/en/download/help/5000020300.xml
http://myweb.csc.edu/mycsc/help/java.htm
You also are storing a lot of junk in the Spybot S&D Recovery folder, clean it like this:
Open Spybot S&D > click Recovery > Purge everything in there.
complete those instructions, restart the computer and and scan again with Kaspersky. Post the results but NOT the informational links.
Please post the uninstall list, you posted another HijackThis log?
I can deal with only one computer at a time, Symantec is not installed on this computer.
Thanks
I followed the Java instructions and all went well. Spybot has been uninstalled for some time now so I'm not sure what to do about that process
I guess I accidentally copied the HJT log rather than the uninstall list, sorry. Here is the correct one.
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
3D Windows XP Screen Saver
Adobe Acrobat 7.0 Professional
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Shockwave Player
Agere Systems PCI Soft Modem
American Flag Screen Saver
Counter-Strike(TM)
Critical Update for Windows Media Player 11 (KB959772)
DVD Decrypter (Remove Only)
DVD Shrink 3.2
ERUNT 1.1j
Google Earth
Help and Support Additions
High Definition Audio Driver Package - KB835221
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Deskjet Preloaded Printer Drivers
HP Image Zone 4.2.3
HP Image Zone Plus 4.2.3
HP Photosmart Cameras 4.0
HP PSC & OfficeJet 4.0
HP Software Update
HPIZ423
Intel(R) Graphics Media Accelerator Driver
IntelliMover Data Transfer Demo
InterVideo DiscLabel
InterVideo WinDVD Creator
InterVideo WinDVD Player
Java(TM) 6 Update 13
Kaspersky Internet Security 2009
Kaspersky Internet Security 2009
KBD
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Calculator Plus
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Halo
Microsoft Halo Custom Edition
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.5)
MSN Entertainment Download Troubleshooter
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
muvee autoProducer 3.5 magicMoments - HPD
NetMos Multi-IO Controller
Nokia Connectivity Cable Driver
Nokia PC Suite
NVDVD
NVIDIA Drivers
PC Connectivity Solution
Photosmart 320,370,7400,8100,8400 Series
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Readiris Pro 7.5
Samsung SCX-4100 Series
SanDisk TransferMate
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
SereneScreen Marine Aquarium 2.6
SmarThru 4
Sonic Express Labeler
Sonic RecordNow!
Sonic Update Manager
Steam(TM)
TI Connect 1.6
TI NoteFolio Creator
Trend Micro RUBotted
Uninstall Photo Viewer
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Outlook 2007 Junk Email Filter (kb971933)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Updates from HP
Windows Backup Utility
Windows Defender Signatures
Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2)
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7 Beta 3
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Should I still restart and run the Kaspersky scan even though the Spybot issue is unresolved? Also, I will review the information in the Kaspersky scan you mentioned. Shall I take the steps recommended by those links now or await further instructions?
pskelley
2009-07-19, 22:42
This is where Kaspersky says the Recovery folder is located, looks like you did not uninstall it all.
c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip/runsrv32.exe
Since Spybot S&D is uninstalled, delete this folder in red:
c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy <<< that folder and contents, make sure you empty the Recycle Bin and restart before you run Kaspersky. The scan then should be something we can look at for possible malware.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Flash Player 10 ActiveX <<< check this
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html
Adobe Shockwave Player <<< check this
http://www.adobe.com/support/security/bulletins/apsb09-08.html
Critical Adobe Shockwave flaw affects millions
http://blogs.zdnet.com/security/?p=3664
Java(TM) 6 Update 13 <<< update 14 has been released
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
Shall I take the steps recommended by those links now or await further instructions?
I have not seen those results from Kaspersky before, it's seems they have added unpatched, unsafe programs to their scan, similiar to the Secunia PSI freeware program I just suggested to you.
Thanks
The folder has been deleted, recycle bin emptied, and computer restarted and here is the new Kaspersky log minus the links you spoke of. I only pasted the most recent scan this time rather than the entire saved log file. I can post it in its entirety if needed.
7/19/2009 5:52:51 PM Task completed
7/19/2009 5:51:04 PM Detected: c:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
7/19/2009 5:51:04 PM Detected: c:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\msxml4.dll
7/19/2009 5:51:03 PM Detected: c:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9839.0_x-ww_ed80bd5c\msxml4.dll
7/19/2009 5:51:03 PM Detected: c:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b319d8da\msxml4.dll
7/19/2009 5:51:03 PM Detected: c:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
7/19/2009 5:50:08 PM Detected: c:\WINDOWS\system32\FLASH.OCX
7/19/2009 5:41:36 PM Detected: c:\program files\quicktime\quicktimeplayer.exe
7/19/2009 5:41:20 PM Detected: c:\program files\mozilla firefox\firefox.exe
7/19/2009 5:37:02 PM Detected: c:\program files\Common Files\Adobe\ESD\AdobeDownloadManager.exe
7/19/2009 5:35:32 PM Detected: c:\program files\Adobe\Acrobat 6.0\Reader\AcroRd32.bak
7/19/2009 5:35:14 PM Detected: c:\hp\recovery\wizard\SWR_Wizard.exe/iMUL
7/19/2009 5:12:41 PM Detected: c:\program files\quicktime\quicktimeplayer.exe
7/19/2009 5:12:38 PM Detected: c:\program files\mozilla firefox\firefox.exe
7/19/2009 5:12:02 PM Task started
I previously had Secunia on this machine but it was acting up. I will reinstall and see how it does. I will make sure everything I can is up to date.
pskelley
2009-07-20, 02:12
I am really not sure what Kaspersky is "detecting" here, usually when an item is infected, it says so.
msxml4.dll << http://www.google.com/search?hl=en&q=msxml4.dll+&btnG=Google+Search&aq=f&oq=&aqi=
Here is some information:
http://forum.kaspersky.com/index.php?showtopic=92620
You may have to post at the Kaspersky forum to find out why they are flagging this stuff:
http://forum.kaspersky.com/index.php?showforum=4
Since MBAM is showing nothing, let's have combofix take a look:
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed
Please continue as follows:
1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
http://www.bleepingcomputer.com/forums/topic114351.html
Remember to re-enable them afterwards.
2) Click Yes to allow ComboFix to continue scanning for malware.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
When the tool is finished, it will produce a report for you. Post that report and a new HJT log
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Thanks
Everything seemed to go without a hitch. The logs are below.
ComboFix 09-07-20.01 - HP_Owner 07/20/2009 19:41.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.635 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-3829820074-3101100281-3343375045-1003
c:\windows\btgrab.dll
c:\windows\system32\jao.dll
c:\windows\system32\tcpservice2.exe
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2009-06-20 to 2009-07-20 )))))))))))))))))))))))))))))))
.
2009-07-20 23:05 . 2009-07-20 23:06 -------- d-----w- c:\program files\QuickTime
2009-07-20 23:05 . 2009-07-20 23:05 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Apple
2009-07-20 23:05 . 2009-07-20 23:05 -------- d-----w- c:\program files\Apple Software Update
2009-07-20 23:05 . 2009-07-20 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-20 23:00 . 2009-07-20 23:00 -------- d-sh--w- c:\documents and settings\HP_Owner\IECompatCache
2009-07-20 22:59 . 2009-07-20 22:59 -------- d-sh--w- c:\documents and settings\HP_Owner\PrivacIE
2009-07-20 22:58 . 2009-07-20 22:58 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-20 22:28 . 2009-07-20 22:28 -------- d-----w- c:\windows\ie8updates
2009-07-20 22:27 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-20 22:27 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-07-20 22:27 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-07-20 22:27 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-20 22:25 . 2009-07-20 22:27 -------- dc-h--w- c:\windows\ie8
2009-07-20 00:23 . 2009-07-20 00:23 1914000 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-07-20 00:23 . 2009-07-20 11:48 -------- d-----w- c:\program files\NOS
2009-07-20 00:23 . 2009-07-20 11:47 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-20 00:17 . 2009-07-20 00:17 152576 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-18 15:27 . 2009-07-18 15:28 -------- d-----w- c:\program files\ERUNT
2009-07-16 01:02 . 2009-07-16 01:02 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-10 01:18 . 2009-07-10 01:18 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-07-10 01:18 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 01:18 . 2009-07-16 01:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-10 01:18 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-10 01:18 . 2009-07-10 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-05 23:25 . 2009-07-05 23:25 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\klbg.sys
2009-07-05 23:25 . 2009-07-05 23:25 206088 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\avp.exe
2009-07-05 23:25 . 2009-07-05 23:25 226832 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys
2009-07-05 23:10 . 2009-07-05 23:25 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-07-05 23:10 . 2009-07-05 23:25 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-07-05 23:10 . 2009-07-20 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-07-05 23:10 . 2009-07-20 23:49 3655712 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-05 23:10 . 2009-07-20 23:48 614432 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-05 23:10 . 2009-07-05 23:10 -------- d-----w- c:\program files\Kaspersky Lab
2009-07-05 23:03 . 2009-07-05 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-07-05 22:51 . 2009-07-05 22:55 -------- d-----w- c:\documents and settings\HP_Owner\.housecall6.6
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-20 23:49 . 2009-07-05 23:10 29640 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-20 23:48 . 2009-07-05 23:10 3180 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-20 23:10 . 2005-02-05 02:54 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-20 23:08 . 2004-10-22 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-20 23:08 . 2005-01-19 23:14 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Apple Computer
2009-07-20 23:07 . 2005-01-22 05:08 85720 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-20 22:54 . 2009-07-20 22:54 110592 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\fyt6i4ox.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
2009-07-20 22:46 . 2008-03-03 00:57 -------- d-----w- c:\program files\MSBuild
2009-07-20 22:46 . 2009-07-20 22:46 -------- d-----w- c:\program files\Reference Assemblies
2009-07-20 22:39 . 2008-01-02 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-20 22:34 . 2004-10-22 01:51 -------- d-----w- c:\program files\Microsoft Works
2009-07-20 00:18 . 2004-10-22 00:27 -------- d-----w- c:\program files\Java
2009-07-18 15:25 . 2008-03-01 21:55 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\LimeWire
2009-07-06 23:17 . 2004-10-22 01:39 -------- d-----w- c:\program files\Common Files\Real
2009-07-05 23:25 . 2008-01-29 21:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-07-05 23:05 . 2005-04-20 00:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-05 23:02 . 2004-10-22 21:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-29 01:06 . 2006-04-09 16:45 1915520 ----a-w- c:\documents and settings\HP_Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-16 14:36 . 2004-11-03 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-11-03 18:49 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-05 11:44 . 2009-04-02 04:00 152576 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-03 19:09 . 2004-11-03 18:50 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-21 15:33 . 2008-12-14 16:51 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-13 05:15 . 2004-11-03 18:52 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-11-03 18:50 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-20 21:39 . 2008-07-15 00:45 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2007-11-22 13:21 . 2007-11-22 13:19 24 --sh--w- c:\windows\SFE224615.tmp
2005-04-17 00:44 . 2005-04-17 00:44 0 --sha-w- c:\windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-21 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-10-29 86016]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-07-05 206088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-08 57344]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-06 90112]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-04-06 2805248]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-10-29 921600]
c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-1-24 25214]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Games\\halo.exe"=
"c:\\Program Files\\Games\\Halo Custom Edition\\haloce.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\reck325\\condition zero\\hl.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\MsnMusic\\4226251\\MsnMusic.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6160:TCP"= 6160:TCP:*:Disabled:Seagull Driver Networking
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [4/7/2009 5:54 PM 582992]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 6:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [4/7/2009 5:54 PM 206608]
S2 WVLRWQOR;WVLRWQOR;\??\c:\windows\system32\wvlrwqor.eid --> c:\windows\system32\wvlrwqor.eid [?]
S3 JL2004A;JL2004A Photo Viewer;c:\windows\system32\drivers\pv_wdm.sys [2/13/2007 6:36 PM 63289]
S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\DRIVERS\maxidemo.sys --> c:\windows\system32\DRIVERS\maxidemo.sys [?]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [4/7/2009 5:54 PM 206608]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-07-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-VTTimer - VTTimer.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: msn.com\lic.music
Trusted Zone: msn.com\music
Trusted Zone: spcollege.edu\angel
Trusted Zone: spcollege.edu\www
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\fyt6i4ox.default\
FF - prefs.js: browser.search.selectedEngine - Answers.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\fyt6i4ox.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-20 19:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WVLRWQOR]
"ImagePath"="\??\c:\windows\system32\wvlrwqor.eid"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3420)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\PC Connectivity Solution\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng-us.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2009-07-20 19:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-20 23:55
Pre-Run: 82,759,983,104 bytes free
Post-Run: 82,818,703,360 bytes free
272 --- E O F --- 2009-07-16 11:59
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:11 AM, on 7/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://lic.music.msn.com
O15 - Trusted Zone: http://music.msn.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1118279043140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125928240390
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} (MsneDiag Class) - http://entimg.msn.com/client/msnediag4507.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax4507.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - http://www.spcollege.edu/webcentral/templates/MYSPC_square.JPG
--
End of file - 9939 bytes
pskelley
2009-07-21, 14:37
I am not sure what Running Processes you need at startup but you appear to have quite a few. (I have four) Have a look at this information to see if it help your computer run better.
http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.malwareremoval.com/tutorials/runningslowly.php
http://www.bleepingcomputer.com/forums/index.php?showtopic=87058&st=0&p=487112&#entry487112
http://www.microsoft.com/atwork/getstarted/speed.mspx
Let's do a little cleaning.
Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(you may leave the hp redirects if you use them)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
(you may leave these if you want them in your TZ)
O15 - Trusted Zone: http://lic.music.msn.com
O15 - Trusted Zone: http://music.msn.com
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
How is the computer running now?
Thanks
I reviewed the informational links you gave me and will follow some of the recommendations. I fixed the 5 selections from HJT scan with no problems and cleared the junk with ATF cleaner. The computer never showed signs of a problem as far as performance goes except the "Personal Antivirus" pop-ups that took over IE spontaneously. I used the task manager to end this application when it did apear (is that the correct way to handle that type of problem?). Since posting I have had the internet connection disabled except for postings, updates, etc. I updated several of the recommendations from the Kaspersky scan such as Acrobat 7.0 and Flash. I also did several critical and optional updates to IE, Office, and Windows using Microsoft Update online. I still haven't figured out what to do about the 5 Kaspersky recommendations that reference XML Cores as I don't know which core pertains to my system. Any thoughts on that issue would be appreciated though. Everything "seems" to be ok so far. I unfortunately still have the issue of the other two computers I mentioned though. But first, what is the next step for this one?
pskelley
2009-07-22, 02:34
Personal Antivirus is a rogue anti-spyware created by company named Innovagest 2000 and is a clone of General Antivirus and Internet Antivirus Pro.
http://www.bleepingcomputer.com/virus-removal/remove-personal-antivirus
If it gets on the computer it needs to be removed. Since it appears there is no uninstaller, programs like MBAM target the junk. Ending it with task manager only stops it until you restart the computer. Kind of like putting a band aid on cancer.
I believe I said I do not use Kaspersky Internet Security 2009 so I have no idea what it targets besides malware, but I did post a link to the forum where you can ask your questions.
If you wish to run a Kaspersky Online Scan (that I am familiar with) we can do that but you will need to disable Kaspersky Internet Security 2009 while you run the scan. I will post that scan last in case you wish to do this.
I unfortunately still have the issue of the other two computers I mentioned though.
Helpers will work with only one computer at a time. You would need to start a New Thread here:
http://forums.spybot.info/forumdisplay.php?f=22
for each computer and my suggestion would be to post for one computer at a time.
Let's remove combofix and reset System Restore and then I will post instructions for the Kaspersaky Online Scan (KOS)
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Do an online scan with Kaspersky Online Scanner(KOS)
http://www.kaspersky.com/virusscanner
1. Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
2. Click on the Accept button and install any components it needs.
3. The program will install and then begin downloading the latest definition files.
4. After the files have been downloaded on the left side of the page in the Scan section select My Computer
5. This will start the program and scan your system.
6. The scan will take a while, so be patient and let it run.
7. Once the scan is complete, click on View scan report
8. Now, click on the Save Report as button.
9. Save the file to your desktop.
10. Copy and paste that information in your next post
I followed your supplied link and started the Kaspersky online scan. It recommended disabling all antivirus programs, which I did, and started downloading the necessary files. Partial through this process a notification appeared stating that the online scan could not be done because Kaspersky was already installed on the computer. So obviously posting a log for that is out of the question.
pskelley
2009-07-22, 12:55
you will need to disable Kaspersky Internet Security 2009 while you run the scan.
Funny that Kaspersky will not let Kaspersky run.
Thanks
So is it safe to assume my pc now has a clean bill of health? If so thanks for the help and patience. Keep fighting the fight!
pskelley
2009-07-22, 13:59
I do suggest, if you are going to run Kaspersky, you ask the questions at their forum so you understand what the program is going to identify and why.
http://forums.techarena.in/guides-tutorials/1121122.htm
Thanks