View Full Version : Can't get rid of Virtumonde
After not checking for problems in a long time because I did not notice problems, I downloaded and ran Spybot. Besides cookies, Virtumonde showed up. I tried to fix but it shows up each time I start the computer. I tried several times but it keeps coming back. I also ran CCleaner and still no luck. I started checking out ways to fix it and happened on to your forum. Sorry I did not know about you guys before I spent several days working on it. I read before you post and backed up registers, ran ERUNT and ran HJT, which is posted below. One thing kind of surprised me, Spybot took over 3 hours to run and my system is only 40GB. Is this normal? Thank you in advance for your help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:01 AM, on 8/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\windows\System32\svchost.exe
C:\windows\system32\wscntfy.exe
C:\windows\Explorer.EXE
C:\windows\system32\wuauclt.exe
C:\windows\system32\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system32\ctfmon.exe
C:\windows\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcrecruiter.net/pcrbin/pcrnf.asp?uid=odbc.centerpoint
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205177738036
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242419410175
O17 - HKLM\System\CCS\Services\Tcpip\..\{22A4C7FF-60D0-4FBD-8135-7DED20F73C4C}: NameServer = 207.217.126.81,207.217.77.82
O17 - HKLM\System\CS1\Services\Tcpip\..\{22A4C7FF-60D0-4FBD-8135-7DED20F73C4C}: NameServer = 207.217.126.81,207.217.77.82
O17 - HKLM\System\CS2\Services\Tcpip\..\{22A4C7FF-60D0-4FBD-8135-7DED20F73C4C}: NameServer = 207.217.126.81,207.217.77.82
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Hewlett-Packard - C:\Program Files\HP\e-DiagTools\edtsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 5916 bytes
Dakeyras
2009-08-04, 16:14
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hi goner and welcome to Safer Networking:)
I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:
I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Scan with Rooter:
Please download Rooter (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Feric.71.mespages.googlepages.com%2FRooter.exe) to your desktop.
Double click on Rooter.exe to start the application.
Now click on the Scan button.
When the scan is completed a text file called Rooter.txt will appear on your desktop, post the contents in your next reply.
Now click on Close button to exit Rooter.
Note: The logfile can also be located within this folder Rooter$ at the root of your installed Hard-Drive. EG: C:\Rooter$
Scan with RSIT:
Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.Make sure that RSIT.exe is on the your Desktop before running the application!
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
When completed the above, please post back the following in the order asked for:
How is you computer performing now, any further symptoms and or problems encountered?
Rooter Log.
Both RSIT logs. <-- Post them individually please, IE: one Log per post/reply.
Hello Dakeyras, thank you for taking my case. I believe your instruction was to scan with rooter first and then post it back to you and then scan with RSIT and separately post back to you. So this is my post with Rooter and I will follow it with RSIT in a second post. Also, this is the first time I have used a blog so please excuse any bonehead moves.
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 1 Stepping 2, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
.
Internet Explorer 7.0.5730.13
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:37 Go - Free:26 Go )
D:\ [Fixed-NTFS] .. ( Total:189 Go - Free:150 Go )
E:\ [CD_Rom]
.
Scan : 10:53.46
Path : C:\Documents and Settings\aedesk1\Desktop\Rooter.exe
User : aedesk1 ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (616)
______ \??\C:\windows\system32\csrss.exe (676)
______ \??\C:\windows\system32\winlogon.exe (704)
______ C:\windows\system32\services.exe (748)
______ C:\windows\system32\lsass.exe (760)
______ C:\windows\system32\svchost.exe (916)
______ C:\windows\system32\svchost.exe (1008)
______ C:\windows\System32\svchost.exe (1120)
______ C:\windows\System32\svchost.exe (1228)
______ C:\windows\System32\svchost.exe (1328)
______ C:\windows\system32\spoolsv.exe (1440)
______ C:\windows\System32\svchost.exe (1536)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1568)
______ C:\Program Files\Bonjour\mDNSResponder.exe (1604)
______ C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe (1632)
______ C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe (1836)
______ C:\WINDOWS\system32\HPZipm12.exe (1856)
______ C:\windows\System32\svchost.exe (1888)
______ C:\windows\System32\alg.exe (464)
______ C:\windows\system32\wscntfy.exe (2008)
______ C:\windows\Explorer.EXE (1492)
______ C:\windows\system32\wuauclt.exe (1940)
______ C:\windows\system32\atiptaxx.exe (804)
______ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (972)
______ C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe (452)
______ C:\Program Files\iTunes\iTunesHelper.exe (2168)
______ C:\Program Files\Messenger\msmsgs.exe (2184)
______ C:\windows\system32\ctfmon.exe (2192)
______ C:\windows\System32\svchost.exe (2336)
______ C:\Program Files\iPod\bin\iPodService.exe (2528)
______ C:\Program Files\Mozilla Firefox\firefox.exe (2904)
______ C:\Program Files\Trend Micro\HijackThis\HijackThis.exe (3412)
______ C:\windows\system32\NOTEPAD.EXE (3524)
______ C:\windows\system32\taskmgr.exe (996)
______ C:\Documents and Settings\aedesk1\Desktop\Rooter.exe (3980)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:40032405504)
.
----------------------\\ Scheduled Tasks
.
C:\windows\Tasks\desktop.ini
C:\windows\Tasks\SA.DAT
C:\windows\Tasks\WGASetup.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 10:53.48
.
C:\Rooter$\Rooter_1.txt - (04/08/2009 | 10:53.48)
OK Dakeyras, here is the RSIT scan below. The bottom of your post asks how the computer is running now. Should I restart and run Spybot? Should Spybot take over 3 hours to run?
Logfile of random's system information tool 1.06 (written by random/random)
Run by aedesk1 at 2009-08-04 11:17:05
Microsoft Windows XP Professional Service Pack 3
System drive C: has 28 GB (72%) free of 38 GB
Total RAM: 1279 MB (49% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:23 AM, on 8/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\windows\System32\svchost.exe
C:\windows\system32\wscntfy.exe
C:\windows\Explorer.EXE
C:\windows\system32\wuauclt.exe
C:\windows\system32\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system32\ctfmon.exe
C:\windows\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\windows\system32\taskmgr.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\aedesk1\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\aedesk1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcrecruiter.net/pcrbin/pcrnf.asp?uid=odbc.centerpoint
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205177738036
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242419410175
O17 - HKLM\System\CCS\Services\Tcpip\..\{22A4C7FF-60D0-4FBD-8135-7DED20F73C4C}: NameServer = 207.217.126.81,207.217.77.82
O17 - HKLM\System\CS1\Services\Tcpip\..\{22A4C7FF-60D0-4FBD-8135-7DED20F73C4C}: NameServer = 207.217.126.81,207.217.77.82
O17 - HKLM\System\CS2\Services\Tcpip\..\{22A4C7FF-60D0-4FBD-8135-7DED20F73C4C}: NameServer = 207.217.126.81,207.217.77.82
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Hewlett-Packard - C:\Program Files\HP\e-DiagTools\edtsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6213 bytes
======Scheduled tasks folder======
C:\windows\tasks\WGASetup.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 50376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll [2008-07-28 160496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"=C:\windows\system32\atiptaxx.exe [2001-08-31 245760]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2004-09-13 49152]
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe [2002-07-30 77824]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-06-05 292136]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"ctfmon.exe"=C:\windows\system32\ctfmon.exe [2008-04-13 15360]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"=C:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe [2009-02-02 240544]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk.disabled - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk.disabled - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Microsoft Office.lnk.disabled - C:\Program Files\Microsoft Office\Office10\OSA.EXE
C:\Documents and Settings\aedesk1\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2002-07-30 45056]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\windows\system32\WgaLogon.dll [2008-09-05 241704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskmgr"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\Setup\HPZnet01.exe"="E:\Setup\HPZnet01.exe:*:Enabled:Install Consumer Experience Network Plug in"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0eb73434-668f-11de-9cf1-00042314f8b2}]
shell\AutoRun\command - F:\wd_windows_tools\WDSetup.exe
======List of files/folders created in the last 1 months======
2009-08-04 11:17:05 ----D---- C:\rsit
2009-08-04 10:53:48 ----D---- C:\Rooter$
2009-08-03 10:27:21 ----D---- C:\Program Files\Trend Micro
2009-07-31 17:48:40 ----D---- C:\windows\ERDNT
2009-07-31 17:46:04 ----D---- C:\Program Files\ERUNT
2009-07-16 15:01:26 ----A---- C:\windows\wininit.ini
2009-07-16 12:05:13 ----HDC---- C:\windows\$NtUninstallKB973346$
2009-07-16 12:04:57 ----HDC---- C:\windows\$NtUninstallKB971633$
2009-07-16 12:04:41 ----A---- C:\windows\system32\MRT.INI
2009-07-16 12:01:14 ----HDC---- C:\windows\$NtUninstallKB961371$
2009-07-07 16:43:29 ----D---- C:\Documents and Settings\aedesk1\Application Data\vlc
2009-07-07 15:04:13 ----D---- C:\Documents and Settings\aedesk1\Application Data\Apple Computer
2009-07-07 15:04:02 ----A---- C:\windows\system32\GEARAspi.dll
2009-07-07 15:03:34 ----D---- C:\Program Files\iPod
2009-07-07 15:03:29 ----D---- C:\Program Files\iTunes
2009-07-07 15:03:29 ----D---- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-07 15:03:08 ----D---- C:\Program Files\Bonjour
2009-07-07 15:02:21 ----D---- C:\Program Files\QuickTime
2009-07-07 15:02:19 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-07-07 15:01:52 ----D---- C:\Program Files\Apple Software Update
2009-07-07 15:01:38 ----DC---- C:\windows\system32\DRVSTORE
2009-07-07 15:01:10 ----D---- C:\Program Files\Common Files\Apple
2009-07-07 15:01:09 ----D---- C:\Documents and Settings\All Users\Application Data\Apple
2009-07-06 08:22:37 ----HDC---- C:\windows\$NtUninstallKB929399$
2009-07-06 08:22:07 ----HDC---- C:\windows\$NtUninstallKB939683$
2009-07-06 08:21:29 ----HDC---- C:\windows\$NtUninstallKB959772_WM11$
2009-07-06 08:21:16 ----HDC---- C:\windows\$NtUninstallKB954154_WM11$
2009-07-06 08:20:10 ----HDC---- C:\windows\$NtUninstallKB936782_WMP11$
======List of files/folders modified in the last 1 months======
2009-08-04 11:16:26 ----D---- C:\windows\Prefetch
2009-08-04 10:42:51 ----D---- C:\Program Files\Mozilla Firefox
2009-08-04 09:00:46 ----A---- C:\windows\hpbafd.ini
2009-08-03 16:59:37 ----D---- C:\windows\Temp
2009-08-03 10:27:21 ----AD---- C:\Program Files
2009-08-03 09:27:23 ----AD---- C:\WINDOWS
2009-08-03 09:21:54 ----RSHD---- C:\windows\system32\dllcache
2009-08-03 08:57:33 ----HD---- C:\windows\inf
2009-08-03 08:57:33 ----D---- C:\windows\system32\CatRoot2
2009-07-31 17:50:03 ----A---- C:\windows\SchedLgU.Txt
2009-07-31 17:25:21 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-30 07:49:36 ----AD---- C:\windows\system32
2009-07-29 16:03:29 ----SD---- C:\Documents and Settings\aedesk1\Application Data\Microsoft
2009-07-29 12:25:39 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-07-29 12:01:28 ----D---- C:\windows\system32\en-us
2009-07-29 12:01:28 ----D---- C:\Program Files\Internet Explorer
2009-07-28 15:46:48 ----HD---- C:\windows\$hf_mig$
2009-07-22 17:21:56 ----SHD---- C:\windows\Installer
2009-07-22 17:21:56 ----HD---- C:\Config.Msi
2009-07-19 09:33:02 ----A---- C:\windows\system32\mshtml.dll
2009-07-19 09:32:59 ----A---- C:\windows\system32\ieframe.dll
2009-07-17 18:39:06 ----D---- C:\windows\Debug
2009-07-15 13:05:13 ----D---- C:\windows\system32\CatRoot
2009-07-07 15:04:02 ----D---- C:\windows\system32\drivers
2009-07-07 15:01:36 ----D---- C:\windows\WinSxS
2009-07-07 15:01:10 ----D---- C:\Program Files\Common Files
2009-07-07 11:10:56 ----A---- C:\windows\system32\MRT.exe
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\windows\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 Arp1394;1394 ARP Client Protocol; C:\windows\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtaa;ati2mtaa; C:\windows\System32\DRIVERS\ati2mtaa.sys [2001-09-21 282688]
R3 E100B;Intel(R) PRO Adapter Driver; C:\windows\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\windows\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 NAVAP;NAVAP; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys []
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090802.003\NAVENG.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090802.003\NAVEX15.sys []
R3 NIC1394;1394 Net Driver; C:\windows\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 StillCam;Still Serial Digital Camera Driver; C:\windows\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\windows\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\windows\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\windows\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 ati2mpaa;ati2mpaa; C:\windows\System32\DRIVERS\ati2mpaa.sys [2001-08-17 281856]
S3 USBSTOR;USB Mass Storage Driver; C:\windows\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\windows\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\windows\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 DefWatch;DefWatch; C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe [2002-07-30 32768]
R2 Norton AntiVirus Server;Symantec AntiVirus Client; C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe [2002-07-30 573440]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-06-05 541992]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\windows\System32\Ati2evxx.exe [2000-11-30 57344]
S2 edtlancfg;e-DiagTools LAN Configuration Agent; C:\Program Files\HP\e-DiagTools\edtsrv.exe [2001-09-21 184320]
S3 aspnet_state;ASP.NET State Service; C:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\windows\system32\svchost.exe [2008-04-13 14336]
-----------------EOF-----------------
Dakeyras
2009-08-04, 19:39
Hi :)
Hello Dakeyras, thank you for taking my case.You're welcome!
Should I restart and run Spybot? Should Spybot take over 3 hours to run?No we do not need to run a scan with Spybot S&D at this time. Scan times can vary according to hard-drive size and the amount of files present. In this case however 3 hours for a scan is a somewhat protracted length of time and far from the norm.
Next:
I do need to review the RSIT info.txt it can be found within this folder at the root of the hard-drive:
C:\rsit <-- Within this folder.
I don’t know if it is showing up or not but there is a “D” drive in the computer as well. I am not sure it makes a difference or not for what we are currently doing but I do not want you to be surprised later. The RSIT info.txt is posted below.
info.txt logfile of random's system information tool 1.06 2009-08-04 11:17:27
======Uninstall list======
-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"
Ad-aware 6 Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 10 Plugin-->C:\windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7646-000000000001}
Apple Mobile Device Support-->MsiExec.exe /I{8355F970-601D-442D-A79B-1D7DB4F24CAD}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ATI Display Driver-->rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\windows\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
e-Diagtools LAN Configuration Agent-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A00D9A50-DE4A-11D3-BACD-00500478B0F5}\Setup.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\windows\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\windows\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Extended Capabilities 4.7-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone 4.7-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP LaserJet 2200 Uninstaller-->C:\Program Files\Hewlett-Packard\LaserJet All-in-one\Uninstall\2200\setup.exe uninst22.ini
HP PSC & OfficeJet 4.7-->"C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Software Update-->MsiExec.exe /X{64FC0C98-B035-4530-B15D-3D30610B6DF1}
iTunes-->MsiExec.exe /I{5D601655-6D54-4384-B52C-17EC5385FBBD}
LiveUpdate 1.7 (Symantec Corporation)-->C:\Program Files\\Symantec\LiveUpdate\LSETUP.EXE /U
MaxBlast 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{639858DD-4966-40F3-A706-7C838BCF3A2B}\setup.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\windows\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\windows\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\windows\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Media Content-->MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Standard-->MsiExec.exe /I{90120409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\windows\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (3.0.12)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\windows\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\windows\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\windows\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\windows\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\windows\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\windows\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\windows\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\windows\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\windows\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\windows\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\windows\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\windows\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\windows\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\windows\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\windows\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\windows\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\windows\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\windows\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\windows\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\windows\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\windows\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\windows\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\windows\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\windows\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\windows\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\windows\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\windows\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\windows\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969897)-->"C:\windows\$NtUninstallKB969897$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\windows\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\windows\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\windows\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\windows\$NtUninstallKB973346$\spuninst\spuninst.exe"
Spybot - Search & Destroy 1.5.2.20-->"C:\WINDOWS\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Symantec AntiVirus Client-->MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\windows\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\windows\$NtUninstallKB967715$\spuninst\spuninst.exe"
VLC media player 0.9.9-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Internet Explorer 7-->"C:\windows\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\windows\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\windows\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
======Hosts File======
10.3.58.222 HP00156047A4C6
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
======System event log======
Computer Name: MRFLEMINGTON3
Event Code: 20
Message: Printer Driver HP LaserJet 2200 Series PCL for Windows NT x86 Version-3 was added or updated. Files:- UNIDRV.DLL, UNIDRVUI.DLL, HPLJ2200.GPD, UNIDRV.HLP, PCL5ERES.DLL, UNIRES.DLL, hpcfont.dll, hpcstr.dll, hpcljx.hlp, hpcmacro.gpd, hpcfont.gpd, TTFSUB.GPD, STDNAMES.GPD.
Record Number: 540
Source Name: Print
Time Written: 20080311131528.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: MRFLEMINGTON3
Event Code: 20
Message: Printer Driver HP LaserJet 2200 Series PCL 6 for Windows NT x86 Version-3 was added or updated. Files:- hpbf322g.dll, hpbf322e.dll, hpbf322i.pmd, hpbf322e.hlp, HPBAFD32.DLL, HPBFTM32.DLL, HPBMMON.DLL, HPDOMON.DLL, HPBHEALR.DLL.
Record Number: 511
Source Name: Print
Time Written: 20080311112952.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: MRFLEMINGTON3
Event Code: 20
Message: Printer Driver HP remote printers for Windows NT x86 Version-3 was added or updated. Files:- hpz2ku12.dll, hpzpm312.dll, hpqish09.dat, hpzeng12.exe, hpzflt12.dll, hpzimc12.dll, hpzime12.dll, hpzjui12.dll, hpzlnt12.dll, hpzr3212.dll, hpzres12.dll, hpzsnt12.dll, hpqish09.dll, hpqip09.dll, hpfmom12.hlp, hpzrm312.dll.
Record Number: 492
Source Name: Print
Time Written: 20080311105200.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: MRFLEMINGTON3
Event Code: 20
Message: Printer Driver HP Officejet 7300 series fax for Windows NT x86 Version-3 was added or updated. Files:- hpz2ku12.dll, hpzpm312.dll, hpof7312.dat, hpzeng12.exe, hpzflt12.dll, hpzimc12.dll, hpzime12.dll, hpzjui12.dll, hpzlnt12.dll, hpzr3212.dll, hpzres12.dll, hpzsnt12.dll, hpofax08.dll.
Record Number: 489
Source Name: Print
Time Written: 20080311105056.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: MRFLEMINGTON3
Event Code: 20
Message: Printer Driver HP Officejet 7300 series for Windows NT x86 Version-3 was added or updated. Files:- hpz2ku12.dll, hpzpm312.dll, hpop7312.dat, hpfmom12.hlp, hpzimc12.dll, hpzstw12.exe, hpzslk12.dll, hpzr3212.dll, hpzrm312.dll, hpzcon12.dll, hpzcfg12.exe, hpzeng12.exe, hpzflt12.dll, hpzime12.dll, hpzjui12.dll, hpzpre12.exe, hpzres12.dll, hpzstc12.exe, hpztbi12.dll, hpztbu12.exe, hpztbx12.exe, hpzlnt12.dll, hpzsnt12.dll, hpzcoi12.dll, hpzvip12.dll, hpzims12.dll, hpzpcl12.dll, hpofax08.dll, hpof7312.dat.
Record Number: 482
Source Name: Print
Time Written: 20080311104212.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM
=====Application event log=====
Computer Name: MRFLEMINGTON3
Event Code: 4354
Message: The COM+ Event System failed to fire the ConnectionMade method on subscription {69880AE9-54E6-4477-AC58-EF5CA46EA325}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}. The subscriber returned HRESULT 80004001.
Record Number: 13
Source Name: EventSystem
Time Written: 20080310161708.000000-240
Event Type: warning
User:
Computer Name: MRFLEMINGTON3
Event Code: 4354
Message: The COM+ Event System failed to fire the ConnectionMade method on subscription {11A872EF-110F-49C0-82F2-808D4A28C2AA}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}. The subscriber returned HRESULT 80004001.
Record Number: 11
Source Name: EventSystem
Time Written: 20080310160550.000000-240
Event Type: warning
User:
Computer Name: MRFLEMINGTON3
Event Code: 4354
Message: The COM+ Event System failed to fire the ConnectionMade method on subscription {EFCEEDA3-3B06-4D22-87BE-CBDD44888788}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}. The subscriber returned HRESULT 80004001.
Record Number: 9
Source Name: EventSystem
Time Written: 20080310154025.000000-240
Event Type: warning
User:
Computer Name: MRFLEMINGTON3
Event Code: 4354
Message: The COM+ Event System failed to fire the ConnectionMade method on subscription {1D454A69-8184-4D0D-89B5-0FF0A0BE836F}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}. The subscriber returned HRESULT 80004001.
Record Number: 5
Source Name: EventSystem
Time Written: 20080310144731.000000-240
Event Type: warning
User:
Computer Name: MRFLEMINGTON3
Event Code: 4354
Message: The COM+ Event System failed to fire the StartShell method on subscription {A5978620-5B3F-F1D1-8ED2-00FA0035B753}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}. The subscriber returned HRESULT 80004001.
Record Number: 1
Source Name: EventSystem
Time Written: 20080310144141.000000-240
Event Type: warning
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 1 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=0102
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
-----------------EOF-----------------
Dakeyras
2009-08-04, 22:27
Hi :)
I don’t know if it is showing up or not but there is a “D” drive in the computer as well. I am not sure it makes a difference or not for what we are currently doing but I do not want you to be surprised later.Thats fine, I am aware of the drive and taken it into account but thanks for mentioning it anyway :bigthumb:
D:\ [Fixed-NTFS] .. ( Total:189 Go - Free:150 Go )
Update Mozilla Firefox:
Launch the browser >> click on Help >> Check for Updates...
Next:
Older Adobe related installations pose a security risk and a means for malware to either infect or re-infect a system. We will update this in due course.
Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):
Adobe Reader 6.0
To do so, click once on the above to highlight and then click on the Remove button.
Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.
TFC(Temp File Cleaner):
Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.
Next:
Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) to your desktop.
Double-click mbam-setup.exe and select then follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please post that log in your next reply.
The log can also be found here:
Launch Malwarebytes' Anti-Malware
Click on the Logs radio tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Next:
Please make sure that RSIT.exe is still on the Desktop.(if not inform myself straight away please)
Double click once on RSIT.exe
RSIT will start running, at the disclaimer click on Continue.
When done, 1 log will be produced.
Post that in your next reply.
When completed the above, please post back the following in the order asked for:
How is you computer performing now, any other symptoms and or problems encountered?
Malwarebytes' Anti-Malware Log.
A new RSIT Log.
Hi Dakeyras, my computer seems to be running well but then I never did notice a big problem. I only found out that it was infected when I ran Spybot. Thank you all for Spybot! I have posed both the Malawarebytes and RSIT scans below.
Malwarebytes' Anti-Malware 1.40
Database version: 2560
Windows 5.1.2600 Service Pack 3
8/5/2009 8:26:35 AM
mbam-log-2009-08-05 (08-26-35).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 197015
Time elapsed: 1 hour(s), 52 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
D:\System Volume Information\_restore{431961A3-8FEA-4214-830D-FA222839D550}\RP127\A0032120.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
Logfile of random's system information tool 1.06 (written by random/random)
Run by aedesk1 at 2009-08-05 08:31:32
Microsoft Windows XP Professional Service Pack 3
System drive C: has 27 GB (72%) free of 38 GB
Total RAM: 1279 MB (68% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:51 AM, on 8/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\windows\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\windows\System32\svchost.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system32\ctfmon.exe
C:\windows\System32\svchost.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\aedesk1\Desktop\RSIT.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\aedesk1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcrecruiter.net/pcrbin/pcrnf.asp?uid=odbc.centerpoint
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205177738036
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242419410175
O17 - HKLM\System\CCS\Services\Tcpip\..\{22A4C7FF-60D0-4FBD-8135-7DED20F73C4C}: NameServer = 207.217.126.81,207.217.77.82
O17 - HKLM\System\CS1\Services\Tcpip\..\{22A4C7FF-60D0-4FBD-8135-7DED20F73C4C}: NameServer = 207.217.126.81,207.217.77.82
O17 - HKLM\System\CS2\Services\Tcpip\..\{22A4C7FF-60D0-4FBD-8135-7DED20F73C4C}: NameServer = 207.217.126.81,207.217.77.82
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Hewlett-Packard - C:\Program Files\HP\e-DiagTools\edtsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
Dakeyras
2009-08-05, 15:37
Hi :)
You did not post a complete RSIT log, not a problem however. Just make sure you include the full log next time, thank you.
New Adobe Reader Installation:
Go here (ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/) and click on AdbeRdr910_en_US.exe to download the latest version of Adobe Reader.
Save this file to your desktop and run it to install the latest version of Adobe Reader.
F-Secure Blacklight:
Please download Blacklight from here (http://www.f-secure.com/en_US/security/security-lab/tools-and-services/blacklight/) to your desktop.
or
Link to it from the ftp site: ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save it to your desktop from there.
Go to Start-->Run, copy in the following text, and press Enter:
"%userprofile%\desktop\fsbl.exe" /expertAccept the license agreement.
Click > scan, wait for it to finish, then click Close
There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste the contents of this log into your next reply.
ESET Online Scanner:
Note: You can use either Internet Explorer or Mozilla FireFox for this scan.
Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.
Next:
Please make sure that RSIT.exe is still on the Desktop.(if not inform myself straight away please)
Double click once on RSIT.exe
RSIT will start running, at the disclaimer click on Continue.
When done, 1 log will be produced.
Post that in your next reply.
When completed the above, please post back the following in the order asked for:
How is you computer performing now, any other symptoms and or problems encountered?
Blacklight Log.
ESET Log.
A new RSIT Log. <-- Make sure to post the complete log.
Hi Dakeyras, I am not sure how your working hours overlap with mine but my guess is that you are ahead of my time and it is probably getting late where you are. So I wanted to get this post out to you even though it is incomplete. I must have done something wrong with ESET because I could not get a log. I think I did not start it properly in expert rating. I will redo ESET and repost but I wanted to get this response to you incase I am giving you enough information. It did report that there were no infections and it took about 1hr 10 min to run. Sorry for my screw up. Posted below is Blacklight log and RSIT log. Again the computer seems to be running OK.
08/05/09 10:37:07 [Info]: BlackLight Engine 2.2.1092 initialized
08/05/09 10:37:07 [Info]: OS: 5.1 build 2600 (Service Pack 3)
08/05/09 10:37:08 [Note]: 7019 4
08/05/09 10:37:08 [Note]: 7005 0
08/05/09 10:37:45 [Note]: 7006 0
08/05/09 10:37:45 [Note]: 7022 0
08/05/09 10:37:45 [Note]: 7011 176
08/05/09 10:37:46 [Note]: 7035 0
08/05/09 10:37:46 [Note]: 7026 0
08/05/09 10:37:46 [Note]: 7026 0
08/05/09 10:37:46 [Note]: FSRAW library version 1.7.1024
08/05/09 10:41:10 [Note]: 7007 0
Logfile of random's system information tool 1.06 (written by random/random)
Run by aedesk1 at 2009-08-05 13:25:09
Microsoft Windows XP Professional Service Pack 3
System drive C: has 27 GB (71%) free of 38 GB
Total RAM: 1279 MB (51% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:25 PM, on 8/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\windows\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\windows\System32\svchost.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system32\ctfmon.exe
C:\windows\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\aedesk1\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\aedesk1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcrecruiter.net/pcrbin/pcrnf.asp?uid=odbc.centerpoint
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205177738036
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242419410175
O17 - HKLM\System\CCS\Services\Tcpip\..\{22A4C7FF-60D0-4FBD-8135-7DED20F73C4C}: NameServer = 207.217.126.81,207.217.77.82
O17 - HKLM\System\CS1\Services\Tcpip\..\{22A4C7FF-60D0-4FBD-8135-7DED20F73C4C}: NameServer = 207.217.126.81,207.217.77.82
O17 - HKLM\System\CS2\Services\Tcpip\..\{22A4C7FF-60D0-4FBD-8135-7DED20F73C4C}: NameServer = 207.217.126.81,207.217.77.82
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Hewlett-Packard - C:\Program Files\HP\e-DiagTools\edtsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6073 bytes
======Scheduled tasks folder======
C:\windows\tasks\WGASetup.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll [2008-07-28 160496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"=C:\windows\system32\atiptaxx.exe [2001-08-31 245760]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2004-09-13 49152]
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe [2002-07-30 77824]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-06-05 292136]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"ctfmon.exe"=C:\windows\system32\ctfmon.exe [2008-04-13 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk.disabled - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk.disabled - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Microsoft Office.lnk.disabled - C:\Program Files\Microsoft Office\Office10\OSA.EXE
C:\Documents and Settings\aedesk1\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2002-07-30 45056]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\windows\system32\WgaLogon.dll [2008-09-05 241704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskmgr"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\Setup\HPZnet01.exe"="E:\Setup\HPZnet01.exe:*:Enabled:Install Consumer Experience Network Plug in"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0eb73434-668f-11de-9cf1-00042314f8b2}]
shell\AutoRun\command - F:\wd_windows_tools\WDSetup.exe
======List of files/folders created in the last 1 months======
2009-08-05 11:05:14 ----D---- C:\Program Files\ESET
2009-08-05 10:29:59 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-08-04 17:25:39 ----D---- C:\Documents and Settings\aedesk1\Application Data\Malwarebytes
2009-08-04 17:25:31 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-04 17:25:30 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-04 17:08:42 ----D---- C:\windows\system32\appmgmt
2009-08-04 11:17:05 ----D---- C:\rsit
2009-08-04 10:53:48 ----D---- C:\Rooter$
2009-08-03 10:27:21 ----D---- C:\Program Files\Trend Micro
2009-07-31 17:48:40 ----D---- C:\windows\ERDNT
2009-07-31 17:46:04 ----D---- C:\Program Files\ERUNT
2009-07-16 15:01:26 ----A---- C:\windows\wininit.ini
2009-07-16 12:05:13 ----HDC---- C:\windows\$NtUninstallKB973346$
2009-07-16 12:04:57 ----HDC---- C:\windows\$NtUninstallKB971633$
2009-07-16 12:04:41 ----A---- C:\windows\system32\MRT.INI
2009-07-16 12:01:14 ----HDC---- C:\windows\$NtUninstallKB961371$
2009-07-07 16:43:29 ----D---- C:\Documents and Settings\aedesk1\Application Data\vlc
2009-07-07 15:04:13 ----D---- C:\Documents and Settings\aedesk1\Application Data\Apple Computer
2009-07-07 15:04:02 ----A---- C:\windows\system32\GEARAspi.dll
2009-07-07 15:03:34 ----D---- C:\Program Files\iPod
2009-07-07 15:03:29 ----D---- C:\Program Files\iTunes
2009-07-07 15:03:29 ----D---- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-07 15:03:08 ----D---- C:\Program Files\Bonjour
2009-07-07 15:02:21 ----D---- C:\Program Files\QuickTime
2009-07-07 15:02:19 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-07-07 15:01:52 ----D---- C:\Program Files\Apple Software Update
2009-07-07 15:01:38 ----DC---- C:\windows\system32\DRVSTORE
2009-07-07 15:01:10 ----D---- C:\Program Files\Common Files\Apple
2009-07-07 15:01:09 ----D---- C:\Documents and Settings\All Users\Application Data\Apple
2009-07-06 08:22:37 ----HDC---- C:\windows\$NtUninstallKB929399$
2009-07-06 08:22:07 ----HDC---- C:\windows\$NtUninstallKB939683$
2009-07-06 08:21:29 ----HDC---- C:\windows\$NtUninstallKB959772_WM11$
2009-07-06 08:21:16 ----HDC---- C:\windows\$NtUninstallKB954154_WM11$
2009-07-06 08:20:10 ----HDC---- C:\windows\$NtUninstallKB936782_WMP11$
======List of files/folders modified in the last 1 months======
2009-08-05 11:07:37 ----D---- C:\windows\Prefetch
2009-08-05 11:05:14 ----AD---- C:\Program Files
2009-08-05 10:30:30 ----SHD---- C:\windows\Installer
2009-08-05 10:30:29 ----HD---- C:\Config.Msi
2009-08-05 10:30:07 ----D---- C:\Program Files\Common Files\Adobe
2009-08-05 10:29:45 ----D---- C:\Program Files\Adobe
2009-08-05 10:29:29 ----AD---- C:\windows\system32
2009-08-05 10:10:01 ----A---- C:\windows\hpbafd.ini
2009-08-05 08:32:25 ----D---- C:\Program Files\Mozilla Firefox
2009-08-05 08:30:43 ----D---- C:\windows\Temp
2009-08-05 08:29:19 ----D---- C:\windows\system32\drivers
2009-08-05 08:29:19 ----AD---- C:\WINDOWS
2009-08-05 08:28:55 ----A---- C:\windows\SchedLgU.Txt
2009-08-04 11:17:42 ----RSHD---- C:\windows\system32\dllcache
2009-08-03 08:57:33 ----HD---- C:\windows\inf
2009-08-03 08:57:33 ----D---- C:\windows\system32\CatRoot2
2009-07-31 17:25:21 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-29 16:03:29 ----SD---- C:\Documents and Settings\aedesk1\Application Data\Microsoft
2009-07-29 12:25:39 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-07-29 12:01:28 ----D---- C:\windows\system32\en-us
2009-07-29 12:01:28 ----D---- C:\Program Files\Internet Explorer
2009-07-28 15:46:48 ----HD---- C:\windows\$hf_mig$
2009-07-19 09:33:02 ----A---- C:\windows\system32\mshtml.dll
2009-07-19 09:32:59 ----A---- C:\windows\system32\ieframe.dll
2009-07-17 18:39:06 ----D---- C:\windows\Debug
2009-07-15 13:05:13 ----D---- C:\windows\system32\CatRoot
2009-07-07 15:01:36 ----D---- C:\windows\WinSxS
2009-07-07 15:01:10 ----D---- C:\Program Files\Common Files
2009-07-07 11:10:56 ----A---- C:\windows\system32\MRT.exe
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\windows\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 Arp1394;1394 ARP Client Protocol; C:\windows\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtaa;ati2mtaa; C:\windows\System32\DRIVERS\ati2mtaa.sys [2001-09-21 282688]
R3 E100B;Intel(R) PRO Adapter Driver; C:\windows\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\windows\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 NAVAP;NAVAP; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys []
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090804.003\NAVENG.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090804.003\NAVEX15.sys []
R3 NIC1394;1394 Net Driver; C:\windows\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 StillCam;Still Serial Digital Camera Driver; C:\windows\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\windows\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\windows\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\windows\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 ati2mpaa;ati2mpaa; C:\windows\System32\DRIVERS\ati2mpaa.sys [2001-08-17 281856]
S3 USBSTOR;USB Mass Storage Driver; C:\windows\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\windows\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\windows\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 DefWatch;DefWatch; C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe [2002-07-30 32768]
R2 Norton AntiVirus Server;Symantec AntiVirus Client; C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe [2002-07-30 573440]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-06-05 541992]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\windows\System32\Ati2evxx.exe [2000-11-30 57344]
S2 edtlancfg;e-DiagTools LAN Configuration Agent; C:\Program Files\HP\e-DiagTools\edtsrv.exe [2001-09-21 184320]
S3 aspnet_state;ASP.NET State Service; C:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\windows\system32\svchost.exe [2008-04-13 14336]
-----------------EOF-----------------
Hi Dakeyras, I reran ESET and reread your earlier post to me. I think I looked in the right place this time and posted the results below. I am a little surprised that there is so little information. Did I do it right this time? I also reran RSIT and posted it as well.
ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=85070271f557f749a7dbaad722bd39c6
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-05 06:52:55
# local_time=2009-08-05 02:52:55 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 62 40 16 442416479687500
# scanned=84732
# found=0
# cleaned=0
# scan_time=3496
Logfile of random's system information tool 1.06 (written by random/random)
Run by aedesk1 at 2009-08-05 15:04:48
Microsoft Windows XP Professional Service Pack 3
System drive C: has 27 GB (71%) free of 38 GB
Total RAM: 1279 MB (52% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:03 PM, on 8/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\windows\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\windows\System32\svchost.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system32\ctfmon.exe
C:\windows\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\NOTEPAD.EXE
C:\Documents and Settings\aedesk1\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\aedesk1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcrecruiter.net/pcrbin/pcrnf.asp?uid=odbc.centerpoint
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205177738036
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242419410175
O17 - HKLM\System\CCS\Services\Tcpip\..\{22A4C7FF-60D0-4FBD-8135-7DED20F73C4C}: NameServer = 207.217.126.81,207.217.77.82
O17 - HKLM\System\CS1\Services\Tcpip\..\{22A4C7FF-60D0-4FBD-8135-7DED20F73C4C}: NameServer = 207.217.126.81,207.217.77.82
O17 - HKLM\System\CS2\Services\Tcpip\..\{22A4C7FF-60D0-4FBD-8135-7DED20F73C4C}: NameServer = 207.217.126.81,207.217.77.82
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Hewlett-Packard - C:\Program Files\HP\e-DiagTools\edtsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6106 bytes
======Scheduled tasks folder======
C:\windows\tasks\WGASetup.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll [2008-07-28 160496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"=C:\windows\system32\atiptaxx.exe [2001-08-31 245760]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2004-09-13 49152]
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe [2002-07-30 77824]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-06-05 292136]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"ctfmon.exe"=C:\windows\system32\ctfmon.exe [2008-04-13 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk.disabled - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk.disabled - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Microsoft Office.lnk.disabled - C:\Program Files\Microsoft Office\Office10\OSA.EXE
C:\Documents and Settings\aedesk1\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2002-07-30 45056]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\windows\system32\WgaLogon.dll [2008-09-05 241704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskmgr"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\Setup\HPZnet01.exe"="E:\Setup\HPZnet01.exe:*:Enabled:Install Consumer Experience Network Plug in"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0eb73434-668f-11de-9cf1-00042314f8b2}]
shell\AutoRun\command - F:\wd_windows_tools\WDSetup.exe
======List of files/folders created in the last 1 months======
2009-08-05 11:05:14 ----D---- C:\Program Files\ESET
2009-08-05 10:29:59 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-08-04 17:25:39 ----D---- C:\Documents and Settings\aedesk1\Application Data\Malwarebytes
2009-08-04 17:25:31 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-04 17:25:30 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-04 17:08:42 ----D---- C:\windows\system32\appmgmt
2009-08-04 11:17:05 ----D---- C:\rsit
2009-08-04 10:53:48 ----D---- C:\Rooter$
2009-08-03 10:27:21 ----D---- C:\Program Files\Trend Micro
2009-07-31 17:48:40 ----D---- C:\windows\ERDNT
2009-07-31 17:46:04 ----D---- C:\Program Files\ERUNT
2009-07-16 15:01:26 ----A---- C:\windows\wininit.ini
2009-07-16 12:05:13 ----HDC---- C:\windows\$NtUninstallKB973346$
2009-07-16 12:04:57 ----HDC---- C:\windows\$NtUninstallKB971633$
2009-07-16 12:04:41 ----A---- C:\windows\system32\MRT.INI
2009-07-16 12:01:14 ----HDC---- C:\windows\$NtUninstallKB961371$
2009-07-07 16:43:29 ----D---- C:\Documents and Settings\aedesk1\Application Data\vlc
2009-07-07 15:04:13 ----D---- C:\Documents and Settings\aedesk1\Application Data\Apple Computer
2009-07-07 15:04:02 ----A---- C:\windows\system32\GEARAspi.dll
2009-07-07 15:03:34 ----D---- C:\Program Files\iPod
2009-07-07 15:03:29 ----D---- C:\Program Files\iTunes
2009-07-07 15:03:29 ----D---- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-07 15:03:08 ----D---- C:\Program Files\Bonjour
2009-07-07 15:02:21 ----D---- C:\Program Files\QuickTime
2009-07-07 15:02:19 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-07-07 15:01:52 ----D---- C:\Program Files\Apple Software Update
2009-07-07 15:01:38 ----DC---- C:\windows\system32\DRVSTORE
2009-07-07 15:01:10 ----D---- C:\Program Files\Common Files\Apple
2009-07-07 15:01:09 ----D---- C:\Documents and Settings\All Users\Application Data\Apple
2009-07-06 08:22:37 ----HDC---- C:\windows\$NtUninstallKB929399$
2009-07-06 08:22:07 ----HDC---- C:\windows\$NtUninstallKB939683$
2009-07-06 08:21:29 ----HDC---- C:\windows\$NtUninstallKB959772_WM11$
2009-07-06 08:21:16 ----HDC---- C:\windows\$NtUninstallKB954154_WM11$
2009-07-06 08:20:10 ----HDC---- C:\windows\$NtUninstallKB936782_WMP11$
======List of files/folders modified in the last 1 months======
2009-08-05 13:47:30 ----D---- C:\windows\Prefetch
2009-08-05 11:05:14 ----AD---- C:\Program Files
2009-08-05 10:30:30 ----SHD---- C:\windows\Installer
2009-08-05 10:30:29 ----HD---- C:\Config.Msi
2009-08-05 10:30:07 ----D---- C:\Program Files\Common Files\Adobe
2009-08-05 10:29:45 ----D---- C:\Program Files\Adobe
2009-08-05 10:29:29 ----AD---- C:\windows\system32
2009-08-05 10:10:01 ----A---- C:\windows\hpbafd.ini
2009-08-05 08:32:25 ----D---- C:\Program Files\Mozilla Firefox
2009-08-05 08:30:43 ----D---- C:\windows\Temp
2009-08-05 08:29:19 ----D---- C:\windows\system32\drivers
2009-08-05 08:29:19 ----AD---- C:\WINDOWS
2009-08-05 08:28:55 ----A---- C:\windows\SchedLgU.Txt
2009-08-04 11:17:42 ----RSHD---- C:\windows\system32\dllcache
2009-08-03 08:57:33 ----HD---- C:\windows\inf
2009-08-03 08:57:33 ----D---- C:\windows\system32\CatRoot2
2009-07-31 17:25:21 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-29 16:03:29 ----SD---- C:\Documents and Settings\aedesk1\Application Data\Microsoft
2009-07-29 12:25:39 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-07-29 12:01:28 ----D---- C:\windows\system32\en-us
2009-07-29 12:01:28 ----D---- C:\Program Files\Internet Explorer
2009-07-28 15:46:48 ----HD---- C:\windows\$hf_mig$
2009-07-19 09:33:02 ----A---- C:\windows\system32\mshtml.dll
2009-07-19 09:32:59 ----A---- C:\windows\system32\ieframe.dll
2009-07-17 18:39:06 ----D---- C:\windows\Debug
2009-07-15 13:05:13 ----D---- C:\windows\system32\CatRoot
2009-07-07 15:01:36 ----D---- C:\windows\WinSxS
2009-07-07 15:01:10 ----D---- C:\Program Files\Common Files
2009-07-07 11:10:56 ----A---- C:\windows\system32\MRT.exe
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\windows\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 Arp1394;1394 ARP Client Protocol; C:\windows\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtaa;ati2mtaa; C:\windows\System32\DRIVERS\ati2mtaa.sys [2001-09-21 282688]
R3 E100B;Intel(R) PRO Adapter Driver; C:\windows\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\windows\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 NAVAP;NAVAP; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys []
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090804.003\NAVENG.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090804.003\NAVEX15.sys []
R3 NIC1394;1394 Net Driver; C:\windows\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 StillCam;Still Serial Digital Camera Driver; C:\windows\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\windows\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\windows\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\windows\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 ati2mpaa;ati2mpaa; C:\windows\System32\DRIVERS\ati2mpaa.sys [2001-08-17 281856]
S3 USBSTOR;USB Mass Storage Driver; C:\windows\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\windows\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\windows\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 DefWatch;DefWatch; C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe [2002-07-30 32768]
R2 Norton AntiVirus Server;Symantec AntiVirus Client; C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe [2002-07-30 573440]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-06-05 541992]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\windows\System32\Ati2evxx.exe [2000-11-30 57344]
S2 edtlancfg;e-DiagTools LAN Configuration Agent; C:\Program Files\HP\e-DiagTools\edtsrv.exe [2001-09-21 184320]
S3 aspnet_state;ASP.NET State Service; C:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\windows\system32\svchost.exe [2008-04-13 14336]
-----------------EOF-----------------
Dakeyras
2009-08-05, 22:17
Hi :)
All logs/results appear good :bigthumb:
Aye there is a time difference between us both, it appears you reside in the US and I am in Europe.
Any other issues?
Hi Dakeytras, Thanks for all of your help! Until I found you guys I though I would have to reformat. Now that my computer appears to be in good shape I would like to protect it. I already have Norton antivirus software but what else should use to keep my computer clean? I know there are choices but some freeware like Spybot does a better job in some cases than Norton did in finding problems. What group of products is recommended?
One other thing, I have another computer that is exactly the same as this one, except no D drive. After checking it with Spybot I found that it has the same virus in the same location as this one did. Would it make sense to just wipe that disc clean and image copy from this disc to that one? Both drives are Maxtor and I have Maxtor MaxBlast.
All in all, this has been a real learning experience and I will be sure to make a donation. Thanks again!
Dakeyras
2009-08-05, 23:46
Hi :)
Hi Dakeytras, Thanks for all of your help! Until I found you guys I though I would have to reformat. Now that my computer appears to be in good shape I would like to protect it. I already have Norton antivirus software but what else should use to keep my computer clean? I know there are choices but some freeware like Spybot does a better job in some cases than Norton did in finding problems. What group of products is recommended? You are very welcome!
What else you mentioned I shall address shortly.
One other thing, I have another computer that is exactly the same as this one, except no D drive. After checking it with Spybot I found that it has the same virus in the same location as this one did. Would it make sense to just wipe that disc clean and image copy from this disc to that one? Both drives are Maxtor and I have Maxtor MaxBlast.
All in all, this has been a real learning experience and I will be sure to make a donation. Thanks again!
Aye you could if you so wish but not before you have carried out my below advice/instructions otherwise any other infections remaining in the SR points may be transfered so not worth the risk in my opinion.
RE you second machine: If you wish after carrying out the below I do not mind in the least keeping this topic open and I will check your other machine. This is my call/decision about such as I could very well advice you create a new topic but as mentioned I do not mind doing so as I suspect your machines may be part of a home network.
If you wish for myself to check the other machine, post a Rooter and set of RSIT logs for it in this topic.
Now if part of a home network and you use a router I advice you reset the router and apply a admin password. If not sure how to just inform myself the make/modal of router in use and I will provide instructions.
Next:
Congratulations your computer now appears to be malware free!
Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.
Importance of Regular System Maintenance:
I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.
Help! My computer is slow! (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)
Also so is this:
What to do if your Computer is running slowly (http://www.malwareremoval.com/tutorials/runningslowly.php)
OTC:
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop. This tool will remove all the tools(and logs created) we used to clean your pc.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCl attempting to contact the internet, please allow it to do so.
Reset the System Restore points:
Create a new, clean System Restore point which you can use in case of future system problems:
Press Start >> All Programs >> Accessories >>System Tools >> System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
Now remove old, infected System Restore points:
Next click Start >> Run and type cleanmgr in the box and press OK
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm
Now some advice for on-line safety:
Malwarebyte's Anti-Malware:
This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.
Other installed security software:
Your presently installed application, Norton AntiVirus automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.
I advise you also run a complete scan with this also once per week.
Erunt:
Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.
Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!
Keep your system updated:
Microsoft releases patches for Windows and other products regularly:
I advise you visit: http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
Install the Active X
Once installed it will advise set Auto-Updates if not set and you then you will be able to manually check for updates also via:
Start >> All Programs >> Microsoft Updates
Be careful when opening attachments and downloading files:
Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge (http://sourceforge.net/) or Pricelessware (http://www.pricelesswarehome.org/).
Stop malicious scripts:
Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript (http://www.symantec.com/avcenter/noscript.exe) by Symantec or Script Defender (http://www.analogx.com/contents/download/system/sdefend.htm) by AnalogX to handle these scripts.
Make your Internet Explorer safer:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Note: Internet Explorer v8 has been recently released from its beta program, my advice hold off upgrading for the time being as no doubt flaws will be identified and fixes released over the coming months.
Avoid Peer to Peer software:
P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice avoid these types of software applications.
Hosts File:
A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.
Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.
Here are some Hosts files:
MVPS Hosts File (http://www.mvps.org/winhelp2002/hosts.htm)
Bluetack's Hosts File (http://www.bluetack.co.uk/forums/index.php?showtopic=8406)
Bluetack's Host Manager (http://www.bluetack.co.uk/forums/index.php?autocom=faq&CODE=02&qid=16)
hpHosts (http://hphosts.mysteryfcm.co.uk/?s=Download).
Only use one of the above.
Advised Optional Installation:
There is no sign of a software firewall installed on your system. Regardless if using a hardware type and or using the inbuilt Windows Service Pack 3 firewall this is a necessary application as it will also provide outbound protection where as the aforementioned do not.
I highly advise you download ONE of the following firewalls and install it. Restart the computer for changes to take effect.
Jetico Personal Firewall (http://www.jetico.com/download.htm)
Online Armour (http://www.tallemu.com/free-firewall-protection-software.html)
Sunbelt Kerio (http://www.sunbelt-software.com/Kerio.cfm)
This article is a excellent resource regarding the aforementioned firewalls: Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Finally a educational source:
To learn more about how to protect yourself while on the internet read this article by Tony Klein:
So how did I get infected in the first place? (http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=4959)
Some consider this article outdated, personally I still think it bares relevance and the author is well respected in the Anti-Malware community and by myself also!
Any questions,feel free to ask? If not stay safe!
Wow, thank you for your very magnanimous offer and I will take you up on it. You gave me some homework and I will work on that before I get started on the rest of the project but I wanted to get back to you. You are correct, the computers I am talking about are not used for work. I do have these two at work but I use them for personal things like music, picture display, self education and personal web surfing. Actually, the other one is, or was, the clean backup for this one. They used to be work computers but are now 7 years old and were retired from that duty about 2 years ago. Two other safe computing questions, I typically use thumb drives and external hard drives for sharing and backing up. How do I find out if I have infected them and then how do I stop them from infecting other machines?
Interestingly, as I perused the instructions I noticed it said not to open email from strangers. I laughed at that part because a large part of my work requires opening email from strangers. I have a very small two person business and I have not checked those computers for problems. I guess I will be doing that soon. :sad:
Dakeyras
2009-08-06, 21:36
Hi :)
You're welcome!
You can disinfect any USB drives as follows(repeat the procedure as many times as needed if multiple drives in use):
Flash_Disinfector FOR XP
Please download Flash_Disinfector (http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe) and save it to your desktop.
Double click to run it.
You will be prompted to plug in your flash drive. Plug it in.
Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
Next:
As long as you post the logs requested for the other computer within a 3-5 day period not a problem otherwise I will have to close this topic and you will need to create a new one, thank you.
Regarding your actual business machines unfortunately you will be unable to request assistance for them if the need here in Safer Networking:
When the infected computer in question is a company machine in the workplace, or you are an employee. (http://forums.spybot.info/showpost.php?p=25712&postcount=5)
Hi Dakeyras, Again, thanks for your help. No problem with not helping with business computers. I did not expect that. Not too sure I will be in business much longer with the economy the way it is anyway.
I have been busy learning about and then implementing your suggestions. I read that after 2001 Symantec’s Antivirus software included script protection. I have Symantec 2002 running on this machine but could not find a switch to turn on or off so I downloaded Noscript. I figured that it would not be a problem but let me know if I am wrong.
I checked my internet explorer and found that of the controls were already set up as you suggested. I guess that is good news. However, I mostly use firefox because I heard that it was better and safer. Am I wrong?
I checked the firewalls and found out that Online Armour has a free version with limited functions. I think the only thing I really needed was the outgoing protection since I already have Microsoft firewall turned on and I think the other items are already taken care of. So my questions about that are, am I right and should I disable the Microsoft version after downloading Online Armour?
The Host File issue was a funny one for me. I had no idea what it was and did not fully understand it from the short explanation. I found a good overview in Wikipedia. It mentioned that a good protection step would be to use the immunize function in Spybot. How does that differ from the applications you mentioned and can they be used together or should I not use one or the other?
Finally, regarding the program to clean USB drives, how do I know if there is a virus hidden on an external drive? I have a 500MB USB drive I have been using for backup for some time. I may have a virus lurking in there somewhere. I am guessing I can connect it up and run Spybot SD on it to find out.
Dakeyras
2009-08-07, 21:49
Hi :)
Wow, you wrote a essay for me! Just kidding ;)
Hi Dakeyras, Again, thanks for your help. No problem with not helping with business computers.You are very welcome and thank you for understanding both my own and this forums stance on the aforementioned computers.
I read that after 2001 Symantec’s Antivirus software included script protection. I have Symantec 2002 running on this machine but could not find a switch to turn on or off so I downloaded Noscript. I figured that it would not be a problem but let me know if I am wrong.Thats fine.
I checked my internet explorer and found that of the controls were already set up as you suggested. I guess that is good news. However, I mostly use firefox because I heard that it was better and safer. Am I wrong?
Contrary to popular belief if IE is configured correctly and safe online practices used it is just as safe as FF, use either as you see fit and always make sure both are updated.
I checked the firewalls and found out that Online Armour has a free version with limited functions. I think the only thing I really needed was the outgoing protection since I already have Microsoft firewall turned on and I think the other items are already taken care of. So my questions about that are, am I right and should I disable the Microsoft version after downloading Online Armour?Aye do disable XP SP3, though it should have been automatically disabled during the installation process of Online Armour.
You can check as follows:
Click on Start >> Run... and cut/paste in the following and click on OK
firewall.cplIt should be in Off(Not recommended)
The Host File issue was a funny one for me. I had no idea what it was and did not fully understand it from the short explanation. I found a good overview in Wikipedia. It mentioned that a good protection step would be to use the immunize function in Spybot. How does that differ from the applications you mentioned and can they be used together or should I not use one or the other? You can use any of the Host Files I recommended or the immunize feature of Spybot, which in itself is a pseudo Host File. Decide which you wish to use either choice is fine.
Finally, regarding the program to clean USB drives, how do I know if there is a virus hidden on an external drive? I have a 500MB USB drive I have been using for backup for some time. I may have a virus lurking in there somewhere. I am guessing I can connect it up and run Spybot SD on it to find out. Use Flash Disinfecter as advised and if you wish for further peace of mind, leave the USB drive connected and run a full scan with MBAM, then with Norton AV.
Dakeyras
2009-08-09, 22:49
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.