View Full Version : safer-networking.org doesn't show up at all
manofsteele
2009-08-05, 04:09
Recently I've been getting some signs of malware on my PC. my suspicions were confirmed when Google started redirecting me. I went to download Spybot, and it showed up that safer-networking.org simply won't load. After trying 50 different links to the site and refreshing multiple times, it won't load. I tried on my laptop and other PC, and it works perfectly fine.
I'm in a bit of a predicament because I'm not sure if Hijack This will pick up on what's going on because it's not downloading or installing anything, and I can't download Spybot to find and or get rid of the thing at all.
I've even put the Spybot program on an external hard-drive (Downloaded from my other PC), brought it over to this one, and no luck.
I'm completley lost.
Never mind, I had a stupid moment and didn't read at all what HJT does. Here'e the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:59 PM, on 8/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\UMonit2K.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smashfan.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-21-3172048194-4239167596-3374511373-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Jean-Marie Steele')
O4 - HKUS\S-1-5-21-3172048194-4239167596-3374511373-1008\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User 'Jean-Marie Steele')
O4 - HKUS\S-1-5-21-3172048194-4239167596-3374511373-1008\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Jean-Marie Steele')
O4 - HKUS\S-1-5-21-3172048194-4239167596-3374511373-1008\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Jean-Marie Steele')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - S-1-5-21-3172048194-4239167596-3374511373-1008 Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'Jean-Marie Steele')
O4 - S-1-5-21-3172048194-4239167596-3374511373-1008 User Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'Jean-Marie Steele')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by129fd.bay129.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133540938156
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.197.197.250/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FAA2960-2AF2-4B6B-87EB-1716B8DD261C}: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEC50229-E70A-4BB6-BE09-EE2DACD2F08B}: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CS1\Services\Tcpip\..\{3FAA2960-2AF2-4B6B-87EB-1716B8DD261C}: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CS2\Services\Tcpip\..\{3FAA2960-2AF2-4B6B-87EB-1716B8DD261C}: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 13621 bytes
pskelley
2009-08-06, 04:56
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You must have read and followed the "Before you Post" instructions.
At the least you are hacked by criminals form the Ukraine:
http://whois.domaintools.com/85.255.112.107
These infections can be tough to remove, so do not expect fast or easy. If that works for you we will start like this.
1) Please do not enable TeaTimer while we work together.
2) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/
http://www.besttechie.net/mbam/mbam-setup.exe <<< download
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://thespykiller.co.uk/index.php/topic,5946.0.html
3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Thanks
manofsteele
2009-08-07, 16:26
Malwarebytes.org has also been blocked.
Both links show up as broken pages, where as on my other PC, they work fine.
pskelley
2009-08-07, 16:37
Use the link to the download I provided. "Save this file now"
Save it to the Desktop and before you save it change the file name to manofsteele.exe Then run it as instructed.
If you can't do that, download it to a clean computer and bring it to the infected one. Install on the Desktop and rename if necessary.
Thanks
manofsteele
2009-08-07, 17:00
Unfortunately, Malwarebytes itself will not run. I went to another PC, brought the re-named installer over to my desktop, installed it, and it will not launch at all.
pskelley
2009-08-07, 17:04
You understand it is the junk the hacker put on the computer that is stopping the tool from running. Did you try renaming the installer as I suggested? You can also try booting to safe mode and running it there.
http://spyware-free.us/tutorials/safemode/
Thanks
manofsteele
2009-08-10, 22:41
Sorry for the delay.
Even with the re-named installer (manofsteele.exe as you suggested) in safe mode, Malwarebytes will not run.
I tried running it while in safe mode, but it would not run. I uninstalled it, and re-installed it while in safe mode, and it would still not run.
pskelley
2009-08-11, 00:01
1) This tool will look for a Rootkit infection.
Download it to your Desktop
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
Double click the fsbl.exe and accept the agreement
Click NEXT...then Scan
BlackLight will Scan for hidden items
If anything is found save the report and post it.
Items found may be valid so do not remove anything.
2) Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your Desktop.
Post the contents of GMER.txt in your next reply.
manofsteele
2009-08-11, 03:16
Nothing was found in the FSBL program, but I saved the log just in case you need it later.
Here's the GMER Log:
GMER 1.0.15.15020 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-10 20:12:57
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
Code 8304CD60 ZwEnumerateKey
Code 8303F3E0 ZwFlushInstructionCache
Code 83020246 IofCallDriver
Code 8301F276 IofCompleteRequest
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 8302024B
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 8301F27B
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 8304CD64
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 8303F3E4
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device \FileSystem\Fastfat \Fat EE2FAD20
Device \FileSystem\Fastfat \Fat EE3018C1
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\drivers\gxvxclmejdvjipuloemxoicocvpppumpkcjgy.sys (*** hidden *** ) [SYSTEM] gxvxcserv.sys <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxclmejdvjipuloemxoicocvpppumpkcjgy.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxclmejdvjipuloemxoicocvpppumpkcjgy.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcasrmyejuhtxxyakxnalenpsditeucauo.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxclmejdvjipuloemxoicocvpppumpkcjgy.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxclmejdvjipuloemxoicocvpppumpkcjgy.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcasrmyejuhtxxyakxnalenpsditeucauo.dll
---- Files - GMER 1.0.15 ----
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\addressBook 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\addressBookApp 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\addressBookPrint 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\aimToolkit 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\bfts 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\boxelyrenderer 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\boxelyToolkit 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\compression 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\htmlRenderer 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\http 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\imApp 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\localStorage 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\miniXML 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\notification 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\os 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\osInfo 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\preferences 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\security 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\softwareUpdate 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\sync 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\toaster 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\urlData 0 bytes
File C:\Program Files\AIM6\services\boxelyToolkit\ver3_1_3_4\content\editorPack\urlDispatcher 0 bytes
---- EOF - GMER 1.0.15 ----
pskelley
2009-08-11, 12:08
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
http://www.bleepingcomputer.com/forums/topic114351.html
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
When the tool is finished, it will produce a report for you. Post that report and a new HJT log
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Thanks
manofsteele
2009-08-12, 19:43
Here's the ComboFix log:
ComboFix 09-08-10.06 - Taylor Steele 08/12/2009 11:59.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.163 [GMT -4:00]
Running from: c:\documents and settings\Taylor Steele\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Taylor Steele\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Brian Steele\Application Data\alot
c:\documents and settings\Brian Steele\Favorites\games.url
c:\program files\INSTALL.LOG
C:\restore
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\windows\Downloaded Program Files\sysinetsvc32.inf
c:\windows\Installer\15e8f9.msi
c:\windows\Installer\15e8ff.msi
c:\windows\Installer\15e905.msi
c:\windows\Installer\221bd3.msi
c:\windows\Installer\45233.msp
c:\windows\Installer\6f6674.msi
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\gxvxclmejdvjipuloemxoicocvpppumpkcjgy.sys
c:\windows\system32\gxvxcasrmyejuhtxxyakxnalenpsditeucauo.dll
c:\windows\system32\gxvxccounter
c:\windows\system32\vyubdiw_nav.dat
c:\windows\tmlpcert2007
c:\windows\winhelp.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_gxvxcserv.sys
-------\Legacy_gxvxcserv.sys
((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
.
2009-08-07 17:19 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-07 17:19 . 2009-08-07 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-07 17:19 . 2009-08-10 19:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-07 17:19 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-07 00:46 . 2009-08-07 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-08-07 00:38 . 2009-08-07 00:38 -------- d-----w- c:\program files\Messenger Plus! Live
2009-08-05 16:53 . 2009-08-05 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-05 16:53 . 2007-05-13 16:24 86683 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-08-05 13:27 . 2009-08-05 13:27 152576 ----a-w- c:\documents and settings\Taylor Steele\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-05 01:15 . 2009-08-05 01:15 -------- d-----w- c:\program files\Trend Micro
2009-08-02 13:14 . 2009-08-12 14:54 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-08-02 00:47 . 2009-08-02 00:47 -------- d-----w- c:\documents and settings\Taylor Steele\Application Data\ArcSoft
2009-08-01 00:38 . 2006-11-03 14:59 48128 ----a-w- c:\windows\system32\Remove.exe
2009-08-01 00:37 . 2009-08-01 00:38 -------- d-----w- c:\program files\Common Files\PAC7302
2009-08-01 00:37 . 2009-08-01 00:37 -------- d-----w- c:\program files\PC VGA Camer@ Plus
2009-07-31 21:56 . 2009-07-31 21:56 -------- d-----w- c:\windows\PixArt
2009-07-31 21:51 . 2009-07-31 21:51 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-07-31 21:51 . 2005-02-23 18:58 11776 ----a-w- c:\windows\system32\drivers\afc.sys
2009-07-31 21:51 . 2009-07-31 21:51 -------- d-----w- c:\program files\ArcSoft
2009-07-31 21:43 . 2009-07-31 21:43 -------- d-----w- c:\documents and settings\Brian Steele\Application Data\InstallShield
2009-07-20 21:49 . 2009-07-20 21:49 -------- d-----w- c:\program files\iPod
2009-07-20 21:48 . 2009-07-20 21:50 -------- d-----w- c:\program files\iTunes
2009-07-20 21:46 . 2009-07-20 21:46 -------- d-----w- c:\program files\Bonjour
2009-07-20 21:40 . 2009-07-20 21:40 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-20 20:40 . 2009-08-07 16:32 -------- d-----w- c:\documents and settings\Rick Steele\Tracing
2009-07-20 18:49 . 2009-07-20 18:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 19:53 . 2009-06-05 18:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-08 14:13 . 2009-06-14 12:39 -------- d-----w- c:\documents and settings\Taylor Steele\Application Data\AVGTOOLBAR
2009-08-07 16:31 . 2005-03-01 13:20 -------- d-----w- c:\program files\Plaxo
2009-08-05 14:11 . 2008-11-27 15:07 -------- d-----w- c:\documents and settings\Taylor Steele\Application Data\LimeWire
2009-08-05 13:29 . 2005-01-06 15:20 -------- d-----w- c:\program files\Java
2009-08-02 00:39 . 2006-06-21 19:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-02 00:30 . 2006-06-21 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-01 00:39 . 2003-01-14 17:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-01 00:21 . 2006-07-19 21:49 -------- d-----w- c:\documents and settings\Jean-Marie Steele\Application Data\ArcSoft
2009-07-31 21:52 . 2006-07-29 18:56 -------- d-----w- c:\documents and settings\Rick Steele\Application Data\ArcSoft
2009-07-25 09:23 . 2008-11-27 14:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-20 21:49 . 2007-07-05 22:58 -------- d-----w- c:\program files\Common Files\Apple
2009-07-13 19:22 . 2009-06-05 16:06 -------- d-----w- c:\program files\HyCam2
2009-07-12 22:06 . 2009-07-12 22:06 -------- d-----w- c:\documents and settings\Jean-Marie Steele\Application Data\AVGTOOLBAR
2009-07-09 02:45 . 2003-03-13 13:39 -------- d-----w- c:\program files\ChainCast
2009-06-26 13:06 . 2009-06-13 17:32 -------- d-----w- c:\documents and settings\Rick Steele\Application Data\AVGTOOLBAR
2009-06-25 21:31 . 2009-06-25 21:30 664 ----a-w- c:\documents and settings\Brian Steele\Local Settings\Application Data\d3d9caps.tmp
2009-06-24 20:40 . 2009-06-24 19:28 -------- d-----w- c:\documents and settings\Brian Steele\Application Data\AVGTOOLBAR
2009-06-24 18:52 . 2006-07-16 19:17 260016 ----a-w- c:\documents and settings\Brian Steele\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 23:33 . 2003-11-18 18:20 -------- d-----w- c:\program files\Lavasoft
2009-06-13 23:33 . 2006-06-21 19:30 -------- d-----w- c:\documents and settings\Rick Steele\Application Data\Lavasoft
2009-06-13 17:32 . 2009-06-13 17:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-13 17:32 . 2009-06-13 17:32 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-06-13 17:32 . 2009-06-13 17:32 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-13 17:32 . 2009-06-13 17:32 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-13 17:32 . 2007-03-02 14:35 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-13 17:32 . 2009-06-13 17:32 -------- d-----w- c:\program files\AVG
2009-06-13 17:32 . 2009-06-13 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-13 15:20 . 2003-01-16 19:49 260016 ----a-w- c:\documents and settings\Rick Steele\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-04 15:34 . 2006-07-14 19:56 260016 ----a-w- c:\documents and settings\Taylor Steele\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-04 00:02 . 2007-07-04 13:26 260016 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-05-29 17:36 . 2008-09-09 21:14 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-29 17:36 . 2007-12-12 02:31 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2007-01-16 00:50 . 2007-01-16 00:50 5186048 ----a-w- c:\program files\WindowsDefender.msi
2008-04-14 00:12 . 2002-09-03 16:29 6144 --sh--r- c:\windows\SYSTEM32\csrss.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-20 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-06-20 114688]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"Gene USB Monitor"="c:\windows\system32\UMonit2K.exe" [2002-12-17 40960]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-06-22 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-06-20 155648]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-13 1947928]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-1-14 45056]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-13 17:32 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\EXCEL.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R3 SMALUSB;Digital Camera Driver;c:\windows\system32\DRIVERS\smallogi.sys [2002-11-22 11721]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2009-06-13 12552]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-06-13 325896]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-06-13 108552]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-06-13 298776]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 PAC7302;PC VGA Camer@ Plus;c:\windows\system32\DRIVERS\PAC7302.SYS [2007-09-10 457984]
.
Contents of the 'Scheduled Tasks' folder
2009-08-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]
2009-08-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.smashfan.com/
uInternet Settings,ProxyOverride = hxxp://localhost;*.local
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Taylor Steele\Application Data\Mozilla\Firefox\Profiles\qphcv3vr.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.smashfan.com/
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\Taylor Steele\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-12 12:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-08-12 12:31
ComboFix-quarantined-files.txt 2009-08-12 16:31
Pre-Run: 1,264,095,232 bytes free
Post-Run: 3,052,867,584 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
257 --- E O F --- 2008-12-19 19:34
And here's the HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:52 PM, on 8/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smashfan.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by129fd.bay129.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133540938156
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.197.197.250/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CS2\Services\Tcpip\..\{3FAA2960-2AF2-4B6B-87EB-1716B8DD261C}: NameServer = 85.255.112.107,85.255.112.226
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 10888 bytes
pskelley
2009-08-12, 21:03
We have more junk to clean, you would be wise to keep this computer offline except when troubleshooting.
Return to my post $2 and follow instructions 1 2 & 3, you should be able to run MBAM now.
Post the log from the MBAM scan, the uninstall list and a new HJT log run after the scan.
Thanks
manofsteele
2009-08-13, 03:28
Lots of logs :laugh:
MBAM Log:
Malwarebytes' Anti-Malware 1.40
Database version: 2612
Windows 5.1.2600 Service Pack 3
8/12/2009 8:12:37 PM
mbam-log-2009-08-12 (20-12-37).txt
Scan type: Full Scan (C:\|F:\|)
Objects scanned: 244703
Time elapsed: 4 hour(s), 23 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.107,85.255.112.226 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3faa2960-2af2-4b6b-87eb-1716b8dd261c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.107,85.255.112.226 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{fec50229-e70a-4bb6-be09-ee2dacd2f08b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.107,85.255.112.226 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcasrmyejuhtxxyakxnalenpsditeucauo.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:32 PM, on 8/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\UMonit2K.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smashfan.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by129fd.bay129.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133540938156
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.197.197.250/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 11690 bytes
Uninstall List Log:
3ivx MPEG-4 5.0.3 (remove only)
Action Replay Code Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.4
Adobe Shockwave Player
AIM 6
America Online
AOL Coach Version 1.0(Build:20011028.1)
Apple Mobile Device Support
Apple Software Update
ArcSoft VideoImpression 2
AusLogics Disk Defrag
AVG 8.5
BCM V.92 56K Modem
Bonjour
Broadcom Advanced Control Suite
Brother MFL-Pro Suite
CCleaner (remove only)
Choice Guard
Dell Modem-On-Hold
Dell ResourceCD
Dell Solution Center
Dell Support Center
Digital Line Detect
Drum Controller Standard Tuning Kit
Easy CD Creator 5 Basic
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Software Update
HyperCam 2
iTunes
Java(TM) 6 Update 15
LG USB Drivers
LG USB Modem driver
LimeWire 4.18.8
Logitech Pocket Digital
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Messenger Plus! Live
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft AntiSpyware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Location Finder
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Microsoft Word 2002
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Mozilla Firefox (3.5.2)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB954459)
muvee Plugin 1.0
Nick Aracde Toolbar
OTOY
overland
Panda ActiveScan
PaperPort
PC VGA Camer@ Plus
Plaxo Toolbar for Windows
QuickTime
QuickTime for Windows (32-bit)
Rhapsody Player Engine
Samsung USB Driver (MCCI 4.34) WHQL v3.0
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Segoe UI
Shockwave
Sierra Streets
Startup Inspector for Windows v2.07
The Print Shop 20
TI Connect 1.6
Ulead GIF Animator Lite Edition 1.0
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Virtools 3D Life Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WD Diagnostics
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Hi,
Phil won't be able to reply so I promised to take the topic over. Hopefully it's ok to you.
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
LimeWire
I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Delete these folders if still present:
c:\documents and settings\Taylor Steele\Application Data\LimeWire
c:\Program Files\LimeWire
After that:
Uninstall old Adobe Reader versions and get the latest one (9.1 + updates 9.1.2 & 9.1.3 for it) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Check here (http://www.adobe.com/software/flash/about/) if your Flash is up-to-date. If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
There appears to be some McAfee remnants there. Please download and run removal tool here (http://majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html) to clean the leftovers.
When those steps are done, reboot and post a fresh hjt log. How's the system running?
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.