View Full Version : spybot wont start
brian480
2009-08-31, 22:01
Hi there just wandered if anyone could help me.
i got a virus in my xp service pack 3 called a.exe i managed to get rid of it, but not before it shut down windows defender and it wont start again. Spybot wont start (windows cannot access the specified device, path, or file. You may not have the appropiate permissions to access the item) same with malwarebites anti malware every time i try installing new scans to try they install fine buut once started the suddenly vannish i got rootalyzer to run and saved the log to my desk top but don't know what to do with it any help is really appreciated:thud:
Bio-Hazard
2009-08-31, 22:58
Hello and Welcome to forums!
My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to backup any personal files and folders before you start.
No Reply Within 4 Days Will Result In Your Topic Being Closed!!
Download and run Win32kDiag
Download Win32kDiag from any of the following locations and save it to your Desktop.
Download Win32kDiag (Win32kDiag.exe) - #1 (http://ad13.geekstogo.com/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #2 (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #3 (http://rootrepeal.psikotick.com/Win32kDiag.exe)
Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
Download DDS
Please download DDS by sUBs from one of the links below and save it to your desktop:
http://img.photobucket.com/albums/v666/sUBs/dds_scr.gif
Download DDS and save it to your desktop from:
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://www.forospyware.com/sUBs/dds)
Please disable any anti-malware program that will block scripts from running before running DDS.
Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
DDS.txt
Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply
SysProt Antirootkit
Download SysProt Antirootkit from HERE (http://sites.google.com/site/sysprotantirootkit/) (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).
Unzip it into a folder on your desktop.
Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.
Process
Kernel Modules
SSDT
Kernel Hooks
Hidden Files
At the bottom of the page slect
Hidden Objects Only
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive.
Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to.
Open the text file and copy/paste the log here.
Next Reply
Please reply with:
DDS.txt
Attach.txt
Sysprot Log
Win32kDiag.txt
brian480
2009-09-01, 01:10
Log file is located at: C:\Documents and Settings\change me\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP126.tmp\ZAP126.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13D.tmp\ZAP13D.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP145.tmp\ZAP145.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP150.tmp\ZAP150.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP15C.tmp\ZAP15C.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP17B.tmp\ZAP17B.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B9.tmp\ZAP1B9.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1FB.tmp\ZAP1FB.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP22.tmp\ZAP22.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP225.tmp\ZAP225.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP24B.tmp\ZAP24B.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP261.tmp\ZAP261.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A0.tmp\ZAP2A0.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A7.tmp\ZAP2A7.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2C5.tmp\ZAP2C5.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2C8.tmp\ZAP2C8.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2E0.tmp\ZAP2E0.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3BC.tmp\ZAP3BC.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP61.tmp\ZAP61.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6B.tmp\ZAP6B.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9C.tmp\ZAP9C.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\BIOV18EL\BIOV18EL
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\DLSY5CIP\DLSY5CIP
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\LT07DKQX\LT07DKQX
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\V3AHNU07\V3AHNU07
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ODCTOOLS\ODCTOOLS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Downloaded Program Files\ODCTOOLS\ODCTOOLS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\2E43F6A45E9061642B72A4624A886A9F\10.0.1600\10.0.1600
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\3323515BEEA94DC4D9C2F4AA8C07BD2E\10.0.1600\10.0.1600
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\6BA4943F00966C14FA7528636228E78D\10.0.1600\10.0.1600
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\{55A29068-F2CE-456C-9148-C869879E2357}\{55A29068-F2CE-456C-9148-C869879E2357}
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Logs\Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Performance\WinSAT\DataStore\DataStore
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1025\1025
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1028\1028
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1031\1031
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1037\1037
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1041\1041
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1042\1042
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1054\1054
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\2052\2052
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\3076\3076
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2025429265-436374069-725345543-1003\S-1-5-21-2025429265-436374069-725345543-1003
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2025429265-436374069-725345543-1011\S-1-5-21-2025429265-436374069-725345543-1011
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\Original\Original
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\RCSBakup\RCSBakup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\regback\regback
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Avanquest\AntiMalware\logs\logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\HLRRVRUP\HLRRVRUP
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\SX3DSC3J\SX3DSC3J
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\ZXIN4AF3\ZXIN4AF3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!\Companion\Buttons\Buttons
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\WebSlices~
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Services\Services
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\dhcp\dhcp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2007-12-31 11:03:17 56320 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2008-04-14 02:11:54 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-14 02:11:54 62464 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-14 02:11:54 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Found mount point : C:\WINDOWS\system32\export\export
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\ffdshow\languages\languages
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\MRT.exe
[1] 2009-07-29 17:49:16 24281536 C:\WINDOWS\system32\MRT.exe ()
[2] 2009-07-07 16:10:56 24539592 C:\System Volume Information\_restore{B5D1D133-8F97-4931-88CC-3FCE7C3F15F6}\RP255\A0068380.exe (Microsoft Corporation)
[2] 2009-07-30 01:49:14 24281536 C:\System Volume Information\_restore{B5D1D133-8F97-4931-88CC-3FCE7C3F15F6}\RP349\A0104509.exe (Microsoft Corporation)
Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\oobe\sample\sample
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\RegiCleanse\Backup\Favourite\Favourite
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\RegiCleanse\Backup\Registry\Registry
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\RsFx\RsFx
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_00BB\__SKIP_00BB
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\wbem\mof\good\good
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\wins\wins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\xircom\xircom
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Finished!
brian480
2009-09-01, 01:20
dds wont run it flashes a black screen then nothing happens here is the
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\win32k.sys:1
Service Name: ---
Module Base: A927E000
Module End: A9283000
Hidden: Yes
Module Name: \systemroot\win32k.sys:2
Service Name: ---
Module Base: F7800000
Module End: F780F000
Hidden: Yes
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: F73E60D0
Driver Base: F73E5000
Driver End: F74CF000
Driver Name: sptd.sys
Function Name: ZwEnumerateKey
Address: F73EBFB2
Driver Base: F73E5000
Driver End: F74CF000
Driver Name: sptd.sys
Function Name: ZwEnumerateValueKey
Address: F73EC340
Driver Base: F73E5000
Driver End: F74CF000
Driver Name: sptd.sys
Function Name: ZwOpenKey
Address: F73E60B0
Driver Base: F73E5000
Driver End: F74CF000
Driver Name: sptd.sys
Function Name: ZwQueryKey
Address: F73EC418
Driver Base: F73E5000
Driver End: F74CF000
Driver Name: sptd.sys
Function Name: ZwQueryValueKey
Address: F73EC298
Driver Base: F73E5000
Driver End: F74CF000
Driver Name: sptd.sys
Function Name: ZwSetValueKey
Address: F73EC4AA
Driver Base: F73E5000
Driver End: F74CF000
Driver Name: sptd.sys
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
No hidden files/folders found
thank you again for trying to find a solution for me
Bio-Hazard
2009-09-01, 01:23
Download and Run ComboFix
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
You must download it to and run it from your Desktop
ComboFix SHOULD NOT be used unless requested by a forum helper.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE (http://www.bleepingcomputer.com/forums/topic114351.html)
Double click on ComboFix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.
Next Reply
Please reply with:
ComboFix log (found at C:\Combofix.txt)
New HijackThis log
brian480
2009-09-01, 09:38
i could not attach them in rar format sorry
ComboFix 09-08-31.03 - ALLEN 09/01/2009 8:03.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.548 [GMT 1:00]
Running from: c:\documents and settings\change me\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\CHANGE~1\APPLIC~1\bcrypt.html
c:\docume~1\CHANGE~1\APPLIC~1\inst.exe
c:\documents and settings\change me\Application Data\bcrypt.html
c:\documents and settings\change me\Application Data\inst.exe
c:\program files\SGPSA
c:\program files\SGPSA\BHO.dll
c:\recycler\S-1-5-21-9055275616-0391393833-324449264-5056
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Installer\105660.msp
c:\windows\Installer\105661.msp
c:\windows\Installer\105662.msp
c:\windows\Installer\105663.msp
c:\windows\Installer\105664.msp
c:\windows\Installer\105665.msp
c:\windows\Installer\105666.msp
c:\windows\Installer\105667.msp
c:\windows\Installer\105668.msp
c:\windows\Installer\110c9f0.msi
c:\windows\Installer\110c9f5.msi
c:\windows\Installer\110c9fe.msi
c:\windows\Installer\110ca03.msi
c:\windows\Installer\110ca08.msi
c:\windows\Installer\110ca0d.msi
c:\windows\Installer\110ca12.msi
c:\windows\Installer\110ca1c.msi
c:\windows\Installer\110ca21.msi
c:\windows\Installer\110ca26.msi
c:\windows\Installer\110ca2b.msi
c:\windows\Installer\110ca34.msi
c:\windows\Installer\110ca39.msi
c:\windows\Installer\110ca3e.msi
c:\windows\Installer\110ca43.msi
c:\windows\Installer\110ca48.msi
c:\windows\Installer\110ca4d.msi
c:\windows\Installer\110ca52.msi
c:\windows\Installer\110ca57.msi
c:\windows\Installer\110ca5c.msi
c:\windows\Installer\110ca61.msi
c:\windows\Installer\110ca66.msi
c:\windows\Installer\110ca6b.msi
c:\windows\Installer\110ca70.msi
c:\windows\Installer\110ca75.msi
c:\windows\Installer\13a3e4.msi
c:\windows\Installer\188ad95.msi
c:\windows\Installer\189239.msp
c:\windows\Installer\18923a.msp
c:\windows\Installer\18923b.msp
c:\windows\Installer\18923c.msp
c:\windows\Installer\18923d.msp
c:\windows\Installer\18923e.msp
c:\windows\Installer\18923f.msp
c:\windows\Installer\189240.msp
c:\windows\Installer\189241.msp
c:\windows\Installer\18c7cf.msi
c:\windows\Installer\19d1fd.msp
c:\windows\Installer\19d1fe.msp
c:\windows\Installer\19d1ff.msp
c:\windows\Installer\19d200.msp
c:\windows\Installer\19d201.msp
c:\windows\Installer\19d202.msp
c:\windows\Installer\19d203.msp
c:\windows\Installer\19d204.msp
c:\windows\Installer\19d205.msp
c:\windows\Installer\1a1edb.msi
c:\windows\Installer\1a1edc.msp
c:\windows\Installer\1a1edd.msp
c:\windows\Installer\1a1ede.msp
c:\windows\Installer\1a1edf.msp
c:\windows\Installer\1a1ee0.msp
c:\windows\Installer\1a1ee1.msp
c:\windows\Installer\1a1ee2.msp
c:\windows\Installer\1a1ee3.msp
c:\windows\Installer\1a1ee4.msp
c:\windows\Installer\1c92d3f.msi
c:\windows\Installer\1c92d44.msi
c:\windows\Installer\1c92d4b.msi
c:\windows\Installer\1c92d50.msi
c:\windows\Installer\1de2d5.msi
c:\windows\Installer\1de2dc.msp
c:\windows\Installer\1e7e73.msi
c:\windows\Installer\1e7e74.msp
c:\windows\Installer\1e7e75.msp
c:\windows\Installer\1e7e76.msp
c:\windows\Installer\1e7e77.msp
c:\windows\Installer\1e7e78.msp
c:\windows\Installer\1e7e79.msp
c:\windows\Installer\1e7e7a.msp
c:\windows\Installer\1e7e7b.msp
c:\windows\Installer\1e7e7c.msp
c:\windows\Installer\1e7e7d.msp
c:\windows\Installer\201798.msi
c:\windows\Installer\20179e.msi
c:\windows\Installer\2030c2c.msi
c:\windows\Installer\215bf0.msi
c:\windows\Installer\215bfe.msp
c:\windows\Installer\215c08.msp
c:\windows\Installer\215c13.msp
c:\windows\Installer\250ee4.msi
c:\windows\Installer\250ee9.msi
c:\windows\Installer\250eee.msi
c:\windows\Installer\250ef3.msi
c:\windows\Installer\250ef8.msi
c:\windows\Installer\250efd.msi
c:\windows\Installer\250f02.msi
c:\windows\Installer\250f0b.msi
c:\windows\Installer\250f10.msi
c:\windows\Installer\250f15.msi
c:\windows\Installer\250f1f.msi
c:\windows\Installer\250f24.msi
c:\windows\Installer\250f29.msi
c:\windows\Installer\2d3d0.msi
c:\windows\Installer\3489c5.msp
c:\windows\Installer\3489c6.msp
c:\windows\Installer\3489c7.msp
c:\windows\Installer\3489c8.msp
c:\windows\Installer\3489c9.msp
c:\windows\Installer\3489ca.msp
c:\windows\Installer\3489cb.msp
c:\windows\Installer\3489cc.msp
c:\windows\Installer\3489cd.msp
c:\windows\Installer\3689bb.msi
c:\windows\Installer\3689bc.msp
c:\windows\Installer\3689bd.msp
c:\windows\Installer\3689be.msp
c:\windows\Installer\3689bf.msp
c:\windows\Installer\3689c0.msp
c:\windows\Installer\3689c1.msp
c:\windows\Installer\3689c2.msp
c:\windows\Installer\3689c3.msp
c:\windows\Installer\3689c4.msp
c:\windows\Installer\372a1.msi
c:\windows\Installer\39bc4.msi
c:\windows\Installer\642b1.msp
c:\windows\Installer\642b7.msi
c:\windows\Installer\642bd.msp
c:\windows\Installer\6794a.msp
c:\windows\Installer\6794b.msp
c:\windows\Installer\6794c.msp
c:\windows\Installer\6794d.msp
c:\windows\Installer\6794e.msp
c:\windows\Installer\6794f.msp
c:\windows\Installer\67950.msp
c:\windows\Installer\67951.msp
c:\windows\Installer\67952.msp
c:\windows\Installer\6d6c9f.msi
c:\windows\Installer\707ce.msi
c:\windows\Installer\79895.msp
c:\windows\Installer\79896.msp
c:\windows\Installer\79897.msp
c:\windows\Installer\79898.msp
c:\windows\Installer\79899.msp
c:\windows\Installer\7989a.msp
c:\windows\Installer\7989b.msp
c:\windows\Installer\7989c.msp
c:\windows\Installer\7989d.msp
c:\windows\Installer\82ff2.msi
c:\windows\Installer\82ff3.msp
c:\windows\Installer\82ff4.msp
c:\windows\Installer\82ff5.msp
c:\windows\Installer\82ff6.msp
c:\windows\Installer\82ff7.msp
c:\windows\Installer\82ff8.msp
c:\windows\Installer\82ff9.msp
c:\windows\Installer\82ffa.msp
c:\windows\Installer\82ffb.msp
c:\windows\Installer\9ac70.msi
c:\windows\Installer\a10a2.msi
c:\windows\Installer\a10a8.msi
c:\windows\Installer\d742ef.msi
c:\windows\system32\geyekrlpxrqpau.dat
c:\windows\system32\net32gdilib.dll
c:\windows\system32\wr42017.dll
c:\windows\system32\xa1029843.exe
c:\windows\system32\xa1030031.exe
c:\windows\system32\xa1054390.exe
c:\windows\system32\xa1054593.exe
c:\windows\system32\xa1078281.exe
c:\windows\system32\xa1078468.exe
c:\windows\system32\xa1079234.exe
c:\windows\system32\xa1079437.exe
c:\windows\system32\xa1079828.exe
c:\windows\system32\xa1080015.exe
c:\windows\system32\xa1080312.exe
c:\windows\system32\xa1155359.exe
c:\windows\system32\xa1155546.exe
c:\windows\system32\xa1599171.exe
c:\windows\system32\xa1599359.exe
c:\windows\system32\xa893562.exe
c:\windows\system32\xa893750.exe
c:\windows\system32\xa922812.exe
c:\windows\system32\xa923000.exe
c:\windows\system32\xa937859.exe
c:\windows\system32\xa938046.exe
c:\windows\system32\xa989031.exe
c:\windows\system32\xa989218.exe
c:\windows\system32\xwr42017.dll
c:\windows\system32\zip32.dll
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.
2009-08-31 20:10 . 2009-08-31 20:10 117760 ----a-w- c:\documents and settings\change me\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-31 20:08 . 2009-08-31 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-31 20:08 . 2009-09-01 07:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-31 20:08 . 2009-08-31 20:08 -------- d-----w- c:\documents and settings\change me\Application Data\SUPERAntiSpyware.com
2009-08-31 20:08 . 2009-08-31 20:08 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\SUPERAntiSpyware.com
2009-08-31 20:08 . 2009-08-31 20:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-31 18:20 . 2009-08-31 18:20 9830 ----a-w- C:\exefix.reg
2009-08-31 17:42 . 2009-08-31 17:42 -------- d-----w- c:\program files\Windows Defender
2009-08-31 17:10 . 2009-08-31 17:10 -------- d-----w- c:\documents and settings\admin\Application Data\Yahoo!
2009-08-31 17:04 . 2009-08-31 17:04 -------- d-sh--w- c:\documents and settings\admin\PrivacIE
2009-08-31 17:03 . 2009-08-31 17:03 19576 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-31 17:03 . 2009-08-31 17:03 -------- d-sh--w- c:\documents and settings\admin\IETldCache
2009-08-31 17:00 . 2009-08-31 17:04 -------- d-----w- c:\documents and settings\admin
2009-08-31 14:17 . 2009-08-31 14:17 -------- d-----w- c:\program files\Windows X
2009-08-31 14:15 . 2009-08-31 14:35 -------- d-----w- c:\program files\a-squared Free
2009-08-31 13:21 . 2009-08-31 13:21 -------- d-----w- c:\documents and settings\change me\Local Settings\Application Data\Runscanner.net
2009-08-31 13:13 . 2009-08-31 13:13 -------- d-----w- c:\program files\ESET
2009-08-31 13:02 . 2009-08-31 13:02 65536 ----a-r- c:\documents and settings\change me\Application Data\Microsoft\Installer\{A6F4DE62-BA95-45B5-B27D-39E5ABB4E77D}\NewShortcut1_6D307F405A8B42488CCA5C8E4FA8753B.exe
2009-08-31 13:02 . 2009-08-31 13:02 10134 ----a-r- c:\documents and settings\change me\Application Data\Microsoft\Installer\{A6F4DE62-BA95-45B5-B27D-39E5ABB4E77D}\ARPPRODUCTICON.exe
2009-08-31 13:02 . 2009-08-31 13:02 -------- d-----w- c:\program files\Hydra Networks
2009-08-31 13:02 . 2009-08-31 14:17 -------- d-----w- c:\windows\Downloaded Installations
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec(2)(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee(4)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec(4)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Slapdash Games(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Real(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\HiddenSecretsNightmare(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d--h--w- c:\documents and settings\All Users\Application Data\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}(3)
2009-08-31 11:32 . 2009-08-31 11:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee(2)
2009-08-31 10:36 . 2009-08-31 12:25 -------- d-----w- c:\program files\Exterminate It!
2009-08-31 09:03 . 2009-08-31 09:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\DNA
2009-08-31 08:49 . 2009-08-31 08:59 -------- d-----w- c:\program files\EsetOnlineScanner
2009-08-31 08:41 . 2009-08-31 08:41 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-31 08:03 . 2009-08-31 08:31 -------- d-----w- c:\windows\BDOSCAN8
2009-08-30 18:02 . 2009-08-30 18:02 -------- d-----w- c:\documents and settings\change me\Application Data\PlayFirst
2009-08-30 18:02 . 2009-08-30 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-08-30 18:02 . 2009-08-30 18:02 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\PlayFirst
2009-08-30 17:40 . 2009-08-30 17:40 -------- d-----w- c:\program files\The Mystery of the Mary Celeste
2009-08-30 17:40 . 2009-08-30 17:40 -------- d-----w- c:\windows\The Mystery of the Mary Celeste
2009-08-30 05:43 . 2009-08-30 05:43 -------- d-----w- c:\documents and settings\change me\Application Data\Malwarebytes
2009-08-30 05:43 . 2009-08-30 05:43 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Malwarebytes
2009-08-30 05:43 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-30 05:43 . 2009-08-30 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-30 05:43 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 05:43 . 2009-08-30 05:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 04:50 . 2009-06-10 21:11 342016 ------w- c:\windows\system32\MC14.exe
2009-08-30 04:50 . 2009-05-12 18:13 585728 ------w- c:\windows\system32\AReadyLB.dll
2009-08-30 04:50 . 2009-05-12 18:13 53248 ------w- c:\windows\system32\BBInstaller.exe
2009-08-30 04:50 . 2009-05-12 18:13 229376 ------w- c:\windows\system32\AudDevicePlugin.dll
2009-08-30 04:50 . 2009-08-30 04:50 -------- d-----w- c:\program files\J River
2009-08-30 04:49 . 2009-08-30 04:50 -------- d-----w- c:\documents and settings\change me\Application Data\J River
2009-08-30 04:49 . 2009-08-30 04:50 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\J River
2009-08-29 17:16 . 2009-08-29 17:16 -------- d-----w- c:\documents and settings\change me\Application Data\GlarySoft
2009-08-29 17:16 . 2009-08-29 17:16 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\GlarySoft
2009-08-29 17:14 . 2009-08-29 17:14 -------- d-----w- c:\program files\Glary Utilities
2009-08-29 17:01 . 2009-08-29 17:01 -------- d-----w- c:\documents and settings\change me\Application Data\DAEMON Tools Pro
2009-08-29 17:01 . 2009-08-29 17:01 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\DAEMON Tools Pro
2009-08-29 16:51 . 2009-08-29 16:51 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-29 15:55 . 2009-08-29 15:55 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-29 12:48 . 2009-08-29 12:48 4141117 ----a-w- c:\documents and settings\change me\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe
2009-08-29 12:48 . 2009-08-29 12:48 6516755 ----a-w- c:\documents and settings\change me\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe
2009-08-29 12:44 . 2009-08-29 12:44 15884 ----a-w- c:\documents and settings\change me\Application Data\Azureus\plugins\azitunes\libProcessAccess.dll
2009-08-29 12:44 . 2009-08-29 12:44 102400 ----a-w- c:\documents and settings\change me\Application Data\Azureus\plugins\azitunes\jacob-1.14.3-x86.dll
2009-08-28 16:30 . 2009-08-28 19:06 -------- d-----w- c:\program files\Common Files\Real
2009-08-28 14:21 . 2009-08-28 14:21 -------- d-----w- c:\documents and settings\change me\Application Data\TuneUp Software
2009-08-28 14:21 . 2009-08-28 14:21 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\TuneUp Software
2009-08-28 13:43 . 2009-08-28 13:43 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-28 13:43 . 2009-08-28 13:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-08-28 12:44 . 2009-08-28 12:57 -------- d-----w- c:\documents and settings\change me\Application Data\Smart PC Solutions
2009-08-28 12:44 . 2009-08-28 12:57 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Smart PC Solutions
2009-08-28 05:09 . 2009-08-28 05:09 10684866 ----a-w- c:\documents and settings\change me\Application Data\Azureus\plugins\azump\mplayer.exe
2009-08-27 17:34 . 2009-08-27 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-08-27 17:34 . 2009-08-31 12:04 -------- d-----w- c:\documents and settings\change me\Application Data\Azureus
2009-08-27 17:34 . 2009-08-31 12:04 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Azureus
2009-08-27 17:34 . 2009-08-27 17:34 -------- d-----w- c:\program files\Vuze
2009-08-27 11:37 . 2009-08-31 11:09 -------- d-----w- c:\documents and settings\change me\.housecall6.6
2009-08-26 23:23 . 2009-08-27 00:07 -------- d-----w- c:\documents and settings\change me\Application Data\.ABC
2009-08-26 23:23 . 2009-08-27 00:07 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\.ABC
2009-08-26 15:46 . 2009-08-31 13:03 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-26 08:50 . 2009-08-26 08:50 -------- d-----w- c:\program files\Xilisoft
2009-08-25 09:10 . 2009-08-25 09:10 -------- d-----w- c:\documents and settings\change me\Application Data\Ahead
2009-08-25 09:10 . 2009-08-25 09:10 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Ahead
2009-08-25 08:54 . 2003-10-08 09:51 1298432 ----a-w- c:\windows\UNNMP.exe
2009-08-25 08:54 . 2003-10-08 09:51 1298432 ----a-w- c:\windows\UNNMP(3).exe
2009-08-25 08:54 . 2003-10-08 09:51 1298432 ----a-w- c:\windows\UNNMP(2).exe
2009-08-25 08:44 . 2009-08-25 15:09 -------- d-----w- c:\program files\Common Files\Ahead
2009-08-25 07:57 . 2009-08-25 07:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-25 07:57 . 2009-08-25 07:57 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-25 07:57 . 2009-08-25 07:57 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-25 07:57 . 2009-08-25 07:57 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-25 07:56 . 2009-08-31 07:09 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-25 07:56 . 2009-08-25 07:56 -------- d-----w- c:\program files\AVG
2009-08-25 07:55 . 2009-09-01 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-25 07:46 . 2009-08-25 07:46 -------- d-----w- c:\documents and settings\change me\Application Data\AVG8
2009-08-25 07:46 . 2009-08-25 07:46 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\AVG8
2009-08-24 07:58 . 2009-08-24 08:02 47360 ----a-w- c:\documents and settings\change me\Application Data\pcouffin.sys
2009-08-24 07:58 . 2009-08-24 07:58 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-08-24 07:58 . 2009-08-24 08:02 -------- d-----w- c:\documents and settings\change me\Application Data\Vso
2009-08-24 07:58 . 2009-08-24 08:02 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Vso
2009-08-23 07:00 . 2009-08-23 07:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2009-08-23 06:52 . 2009-08-23 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Uninstall
2009-08-23 06:52 . 2008-08-06 01:50 606208 ----a-w- c:\documents and settings\All Users\Application Data\Uninstall\{7919D8D9-69FB-4E94-B330-04C4AF251867}\bin\setupresENU.dll
2009-08-23 06:52 . 2008-08-05 13:42 4717040 ----a-w- c:\documents and settings\All Users\Application Data\Uninstall\{7919D8D9-69FB-4E94-B330-04C4AF251867}\setup.exe
2009-08-23 06:43 . 2009-08-23 06:43 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-08-23 06:37 . 2009-08-23 06:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-08-22 19:45 . 2009-08-22 19:45 -------- d-----w- c:\documents and settings\change me\Application Data\Azuaz Games
2009-08-22 19:45 . 2009-08-22 19:45 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Azuaz Games
2009-08-22 19:36 . 2009-08-22 19:36 -------- d-----w- c:\program files\GameTop.com
2009-08-22 06:25 . 2009-08-22 06:25 -------- d-----w- c:\program files\Defraggler
2009-08-21 16:58 . 2009-08-21 16:58 -------- d-----w- c:\program files\CCleaner
2009-08-21 09:12 . 2001-08-17 12:48 12160 -c----w- c:\windows\system32\dllcache\mouhid.sys
2009-08-21 09:12 . 2001-08-17 12:48 12160 ------w- c:\windows\system32\drivers\mouhid.sys
2009-08-20 06:51 . 2009-08-20 06:51 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-20 06:51 . 2009-08-20 06:51 -------- d-----w- C:\4fff99b4a3a7072f67382f9eaf43c24f
2009-08-17 08:17 . 2009-08-29 13:02 -------- d-----w- c:\program files\VS Revo Group
2009-08-16 11:00 . 2009-08-16 11:00 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Avanquest
2009-08-15 12:44 . 2009-08-15 12:45 -------- d--h--w- c:\windows\ie8
2009-08-15 11:12 . 2009-08-15 12:44 -------- dc----w- c:\windows\ie8(2)
2009-08-15 09:25 . 2009-08-15 09:25 -------- d-----w- c:\documents and settings\change me\ErrorLogs
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 15:26 . 2009-06-14 07:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec(2)
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Slapdash Games
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\HiddenSecretsNightmare
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-08-31 12:42 . 2009-08-31 12:42 -------- d--h--w- c:\documents and settings\All Users\Application Data\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}
2009-08-31 09:03 . 2009-06-27 09:59 -------- d-----w- c:\program files\DNA
2009-08-30 08:20 . 2009-07-28 16:20 -------- d-----w- c:\program files\MpcStar
2009-08-29 18:30 . 2009-06-09 11:37 -------- d-----w- c:\program files\Yahoo!
2009-08-28 17:10 . 2009-06-09 11:37 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-28 17:10 . 2009-06-09 11:37 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-28 14:21 . 2009-06-28 22:49 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-08-28 13:19 . 2009-07-16 10:47 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-27 00:31 . 2009-05-30 14:41 19576 -c--a-w- c:\documents and settings\change me\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 08:02 . 2009-08-24 07:58 47360 ----a-w- c:\docume~1\CHANGE~1\APPLIC~1\pcouffin.sys
2009-08-23 14:56 . 2009-07-21 09:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-23 12:26 . 2009-07-14 15:15 1034056 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-23 06:52 . 2009-06-09 11:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-23 06:39 . 2009-06-09 11:37 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-21 16:49 . 2009-06-14 19:00 411368 -c----w- c:\windows\system32\deploytk.dll
2009-08-17 09:55 . 2009-06-21 09:47 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-17 08:29 . 2009-06-09 11:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-15 22:04 . 2009-06-23 14:31 -------- d-----w- c:\program files\Lx_cats
2009-08-15 20:33 . 2009-06-14 07:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-15 09:06 . 2009-07-08 15:26 -------- d-----w- c:\program files\Intel
2009-08-15 07:42 . 2009-07-25 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\page
2009-08-13 14:44 . 2009-07-14 09:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-11 15:00 . 2009-08-11 15:00 0 ------w- c:\windows\system32\drivers\Msft_User_M4iPodWPDDriver_01_07_00.Wdf
2009-08-11 15:00 . 2009-08-11 15:00 0 ------w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-08-09 20:02 . 2009-06-09 11:42 -------- d-----w- c:\documents and settings\change me\Application Data\Motive
2009-08-09 20:02 . 2009-06-09 11:42 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Motive
2009-08-09 09:10 . 2009-06-10 06:36 -------- d-----w- c:\documents and settings\change me\Application Data\Media Player Classic
2009-08-09 09:10 . 2009-06-10 06:36 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Media Player Classic
2009-08-07 10:40 . 2009-07-07 16:34 -------- d-----w- c:\program files\Microsoft.NET
2009-08-05 09:47 . 2009-07-28 16:27 -------- d-----w- c:\documents and settings\change me\Application Data\CometNetwork
2009-08-05 09:47 . 2009-07-28 16:27 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\CometNetwork
2009-08-05 09:01 . 2004-08-04 12:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-05 07:48 . 2009-06-09 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-02 20:07 . 2009-06-09 20:24 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-02 15:50 . 2009-08-31 17:00 38208 ----a-w- c:\documents and settings\admin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-02 10:04 . 2009-08-01 10:50 239 ----a-w- c:\windows\PowerReg.dat
2009-07-28 16:35 . 2009-07-28 16:22 -------- d-----w- c:\documents and settings\change me\Application Data\TigerPlayer
2009-07-28 16:35 . 2009-07-28 16:22 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\TigerPlayer
2009-07-28 16:27 . 2009-07-28 16:27 0 ----a-w- c:\windows\nsreg.dat
2009-07-28 09:20 . 2009-07-28 08:47 -------- d-----w- c:\program files\ffdshow
2009-07-28 08:57 . 2009-06-12 07:18 -------- d-----w- c:\program files\SourceTec
2009-07-26 09:26 . 2009-07-14 13:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-26 07:55 . 2009-07-26 07:55 3888 ------w- c:\windows\system32\drivers\NTHANDLE.SYS
2009-07-24 09:22 . 2009-07-24 09:22 -------- d-----w- c:\program files\Search Guard Plus
2009-07-24 06:50 . 2009-07-21 10:46 -------- d-----w- c:\program files\iolo
2009-07-24 06:50 . 2009-07-21 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2009-07-21 13:28 . 2009-07-20 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Systweak
2009-07-21 13:28 . 2009-07-20 14:51 -------- d-----w- c:\documents and settings\change me\Application Data\Systweak
2009-07-21 13:28 . 2009-07-20 14:51 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Systweak
2009-07-21 11:05 . 2009-07-21 00:21 518 ----a-w- c:\documents and settings\change me\Application Data\iolo\Registry\Last\restore.bat
2009-07-21 00:19 . 2009-07-21 00:19 1531 ----a-w- c:\documents and settings\change me\Application Data\iolo\restore.bat
2009-07-21 00:13 . 2009-07-21 00:01 -------- d-----w- c:\documents and settings\change me\Application Data\iolo
2009-07-21 00:13 . 2009-07-21 00:01 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\iolo
2009-07-21 00:06 . 2009-07-21 00:06 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo
2009-07-21 00:02 . 2009-07-21 00:02 74703 ------w- c:\windows\system32\mfc45.dll
2009-07-20 20:59 . 2004-08-04 12:00 182656 -c----w- c:\windows\system32\drivers\ndis.sys
2009-07-20 18:20 . 2009-07-20 18:20 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-07-20 18:20 . 2009-06-09 11:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-07-20 15:08 . 2009-07-20 15:06 30996544 ----a-w- c:\documents and settings\change me\Application Data\Systweak\ASO 2\UpdateASPnew.exe
2009-07-19 18:17 . 2009-07-19 18:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\agi
2009-07-19 18:15 . 2009-07-19 18:15 339968 ------w- c:\windows\system32\pythoncom25.dll
2009-07-19 18:15 . 2009-07-19 18:15 114688 ------w- c:\windows\system32\pywintypes25.dll
2009-07-19 18:15 . 2009-07-19 18:15 2117632 ------w- c:\windows\system32\python25.dll
2009-07-17 19:23 . 2009-07-17 19:23 -------- d-----w- c:\documents and settings\change me\Application Data\Windows Live Writer
2009-07-17 19:23 . 2009-07-17 19:23 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Windows Live Writer
2009-07-17 19:22 . 2009-06-09 18:40 -------- d-----w- c:\program files\Windows Live
2009-07-17 19:21 . 2009-07-17 19:21 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-07-17 19:01 . 2004-08-04 12:00 58880 ------w- c:\windows\system32\atl.dll
2009-07-17 17:58 . 2009-07-17 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-07-17 09:56 . 2009-06-12 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-07-16 13:17 . 2009-07-06 18:18 1474832 ------w- c:\windows\system32\drivers\sfi.dat
2009-07-14 14:41 . 2009-07-14 13:55 -------- d-----w- c:\program files\Microsoft SQL Server
2009-07-14 14:03 . 2009-07-14 14:03 -------- d-----w- c:\program files\MSXML 6.0
2009-07-14 13:53 . 2009-07-14 13:53 193824 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2009-07-14 13:51 . 2009-07-14 13:51 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-07-14 08:21 . 2009-07-14 08:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-07-13 22:43 . 2007-12-31 10:31 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-13 13:22 . 2009-07-13 13:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-11 17:24 . 2009-06-09 11:36 -------- d-----w- c:\program files\Common Files\Motive
2009-07-09 10:37 . 2009-07-09 10:37 -------- d-----w- c:\program files\Microsoft SDKs
2009-07-08 14:48 . 2009-07-08 14:48 23600 ------w- c:\windows\system32\drivers\TVICHW32.SYS
2009-07-08 14:28 . 2009-07-08 14:28 -------- d-----w- c:\program files\Intel Corporation
2009-07-08 13:50 . 2009-07-08 13:50 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-07-08 13:50 . 2009-07-08 13:50 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2009-07-06 03:40 . 2009-08-15 09:04 2838454 ----a-w- c:\documents and settings\All Users\Application Data\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}\speedupmypc2009.exe
2009-07-06 03:40 . 2009-08-15 09:04 2838454 ----a-w- c:\documents and settings\All Users\Application Data\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}(3)\speedupmypc2009.exe
2009-07-06 03:40 . 2009-08-15 09:04 2838454 ----a-w- c:\documents and settings\All Users\Application Data\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}(2)\speedupmypc2009.exe
2009-07-04 08:19 . 2009-07-04 08:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NeptunesAdve
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-25 2007832]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-25 07:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Search Protection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25766:TCP"= 25766:TCP:BitComet 25766 TCP
"25766:UDP"= 25766:UDP:BitComet 25766 UDP
"65535:TCP"= 65535:TCP:BitComet 65535 TCP
"65535:UDP"= 65535:UDP:BitComet 65535 UDP
"12863:TCP"= 12863:TCP:BitComet 12863 TCP
"12863:UDP"= 12863:UDP:BitComet 12863 UDP
"20422:TCP"= 20422:TCP:BitComet 20422 TCP
"20422:UDP"= 20422:UDP:BitComet 20422 UDP
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/25/2009 08:57 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/25/2009 08:57 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 16:06 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/25/2009 08:56 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/25/2009 08:56 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [7/17/2009 20:22 55152]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R3 CAM1690;USB 2.0 Compliance JPEG Video Camera;c:\windows\system32\drivers\cam1690.sys [4/10/2008 11:31 177280]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [6/23/2009 16:07 99248]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 19:19 13592]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [7/28/2009 15:17 16512]
S3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\drivers\digirlpt.sys [8/10/2009 07:03 42432]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 18:08 533360]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 13:00 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 16:06 7408]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/11/2008 01:28 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 03:09 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 03:23 366936]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2009-09-01 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-08-29 15:09]
2009-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-436374069-725345543-1003Core.job
- c:\documents and settings\change me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-10 07:33]
2009-09-01 c:\windows\Tasks\User_Feed_Synchronization-{C696E61C-6D6E-4E34-97DF-FF9D5594657B}.job
- c:\windows\system32\msfeedssync.exe [2007-12-31 03:31]
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{3b419ee1-1fa8-47b9-9aec-6b60ac2e3fca} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{3B419EE1-1FA8-47B9-9AEC-6B60AC2E3FCA} - (no file)
SafeBoot-MCODS
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.bt.yahoo.com/
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
LSP: c:\windows\system32\SecureNet.dll
Trusted Zone: motive.com\pbttbc.bt
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 08:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8d,84,93,df,33,82,70,46,8e,9b,18,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8d,84,93,df,33,82,70,46,8e,9b,18,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1016)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3444)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\a-squared Free\a2service.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxddcoms.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-01 8:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-01 07:17
Pre-Run: 94,239,412,224 bytes free
Post-Run: 102,049,869,824 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
633 --- E O F --- 2009-09-01 06:47
Bio-Hazard
2009-09-01, 11:03
Use of P2P (Person to Person) file sharing programs
I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
Vuze
DNA
Please read HERE (http://forums.spybot.info/showpost.php?p=218503&postcount=4) the Safer Networking Forums policy on the use of P2P file sharing programs. Please remove it before we can continue any further. Post back when you have done it so we can continue the cleaning process.
NOTE: Even if you are using a safe P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Download HijackThis
To get things going i need you to download HijackThis see the instructions below.
Click HERE (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to download HijackThis Installer
Save HijackThis Installer to your desktop.
Doubleclick on the HijackThis Installer icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
brian480
2009-09-01, 12:35
i have removed vuse but i dont know what dna is i can not find it in add or remove
brian480
2009-09-01, 12:40
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:18, on 9/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} -
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe
--
End of file - 8461 bytes
could you please explain what dna is and how do i get rid of it thanks
Bio-Hazard
2009-09-01, 13:45
Hello!
It is a P2P program like Vuze. I will remove it for you.
Run CFScript
Close any open browsers.
Open Notepad by click start
Click Run
Type notepad into the box and click enter
Notepad will open
Copy and Paste everything from the Code box into Notepad:
File::
C:\exefix.reg
Folder::
c:\program files\DNA
c:\documents and settings\Administrator\Application Data\DNA
c:\documents and settings\change me\Application Data\Azureus
c:\documents and settings\All Users\Application Data\Azureus
c:\docume~1\CHANGE~1\APPLIC~1\Azureus
c:\program files\Vuze
c:\program files\Exterminate It!
c:\documents and settings\change me\Application Data\Smart PC Solutions
c:\docume~1\CHANGE~1\APPLIC~1\Smart PC Solutions
c:\documents and settings\change me\Application Data\.ABC
c:\docume~1\CHANGE~1\APPLIC~1\.ABC
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Vuze\\Azureus.exe"=-
"c:\\Program Files\\DNA\\btdna.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25766:TCP"=-
"25766:UDP"=-
"65535:TCP"=-
"65535:UDP"=-
"12863:TCP"=-
"12863:UDP"=-
"20422:TCP"=-
"20422:UDP"=-
DDS:
DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77}
Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)
http://i219.photobucket.com/albums/cc99/BioHazard_030/CFScriptExample.jpg
Refering to the picture below, drag CFScript into ComboFix.exe
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
When finished, it shall produce a log for you at C:\ComboFix.txt
NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.
ATF-Cleaner
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords please click No at the prompt.
Click Exit on the Main menu to close the program.
Kaspersky Online Scan
You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
ComboFix log (found at C:\Combofix.txt)
Kaspersky Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
brian480
2009-09-01, 17:14
here are the results
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, September 1, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, September 01, 2009 14:54:12
Records in database: 2735799
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Objects scanned: 60125
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 01:55:13
File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Program Files\SGPSA\BHO.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.ifr 1
C:\WINDOWS\Downloaded Installations\{CA96CAAA-F816-4CB5-9676-6A3FCCB81468}\Spycheck Antispyware.msi Infected: not-a-virus:FraudTool.Win32.FastAntiSpyware.a 1
Selected area has been scanned.
ComboFix 09-08-31.03 - ALLEN 09/01/2009 13:26.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.546 [GMT 1:00]
Running from: c:\documents and settings\change me\Desktop\ComboFix.exe
Command switches used :: C:\CFScript.text
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.
2009-09-01 10:36 . 2009-09-01 10:36 -------- d-----w- c:\program files\Trend Micro
2009-08-31 20:10 . 2009-08-31 20:10 117760 ----a-w- c:\documents and settings\change me\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-31 20:08 . 2009-08-31 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-31 20:08 . 2009-09-01 12:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-31 20:08 . 2009-08-31 20:08 -------- d-----w- c:\documents and settings\change me\Application Data\SUPERAntiSpyware.com
2009-08-31 20:08 . 2009-08-31 20:08 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\SUPERAntiSpyware.com
2009-08-31 20:08 . 2009-08-31 20:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-31 18:20 . 2009-08-31 18:20 9830 ----a-w- C:\exefix.reg
2009-08-31 17:42 . 2009-08-31 17:42 -------- d-----w- c:\program files\Windows Defender
2009-08-31 17:10 . 2009-08-31 17:10 -------- d-----w- c:\documents and settings\admin\Application Data\Yahoo!
2009-08-31 17:04 . 2009-08-31 17:04 -------- d-sh--w- c:\documents and settings\admin\PrivacIE
2009-08-31 17:03 . 2009-08-31 17:03 19576 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-31 17:03 . 2009-08-31 17:03 -------- d-sh--w- c:\documents and settings\admin\IETldCache
2009-08-31 17:00 . 2009-08-31 17:04 -------- d-----w- c:\documents and settings\admin
2009-08-31 14:17 . 2009-08-31 14:17 -------- d-----w- c:\program files\Windows X
2009-08-31 14:15 . 2009-08-31 14:35 -------- d-----w- c:\program files\a-squared Free
2009-08-31 13:21 . 2009-08-31 13:21 -------- d-----w- c:\documents and settings\change me\Local Settings\Application Data\Runscanner.net
2009-08-31 13:13 . 2009-08-31 13:13 -------- d-----w- c:\program files\ESET
2009-08-31 13:02 . 2009-08-31 13:02 65536 ----a-r- c:\documents and settings\change me\Application Data\Microsoft\Installer\{A6F4DE62-BA95-45B5-B27D-39E5ABB4E77D}\NewShortcut1_6D307F405A8B42488CCA5C8E4FA8753B.exe
2009-08-31 13:02 . 2009-08-31 13:02 10134 ----a-r- c:\documents and settings\change me\Application Data\Microsoft\Installer\{A6F4DE62-BA95-45B5-B27D-39E5ABB4E77D}\ARPPRODUCTICON.exe
2009-08-31 13:02 . 2009-08-31 13:02 -------- d-----w- c:\program files\Hydra Networks
2009-08-31 13:02 . 2009-08-31 14:17 -------- d-----w- c:\windows\Downloaded Installations
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec(2)(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee(4)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec(4)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Slapdash Games(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Real(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\HiddenSecretsNightmare(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU(3)
2009-08-31 12:31 . 2009-08-31 12:31 -------- d--h--w- c:\documents and settings\All Users\Application Data\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}(3)
2009-08-31 11:32 . 2009-08-31 11:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee(2)
2009-08-31 10:36 . 2009-08-31 12:25 -------- d-----w- c:\program files\Exterminate It!
2009-08-31 09:03 . 2009-08-31 09:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\DNA
2009-08-31 08:49 . 2009-08-31 08:59 -------- d-----w- c:\program files\EsetOnlineScanner
2009-08-31 08:41 . 2009-08-31 08:41 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-31 08:03 . 2009-08-31 08:31 -------- d-----w- c:\windows\BDOSCAN8
2009-08-30 18:02 . 2009-08-30 18:02 -------- d-----w- c:\documents and settings\change me\Application Data\PlayFirst
2009-08-30 18:02 . 2009-08-30 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-08-30 18:02 . 2009-08-30 18:02 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\PlayFirst
2009-08-30 17:40 . 2009-08-30 17:40 -------- d-----w- c:\program files\The Mystery of the Mary Celeste
2009-08-30 17:40 . 2009-08-30 17:40 -------- d-----w- c:\windows\The Mystery of the Mary Celeste
2009-08-30 05:43 . 2009-08-30 05:43 -------- d-----w- c:\documents and settings\change me\Application Data\Malwarebytes
2009-08-30 05:43 . 2009-08-30 05:43 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Malwarebytes
2009-08-30 05:43 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-30 05:43 . 2009-08-30 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-30 05:43 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 05:43 . 2009-08-30 05:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 04:50 . 2009-06-10 21:11 342016 ------w- c:\windows\system32\MC14.exe
2009-08-30 04:50 . 2009-05-12 18:13 585728 ------w- c:\windows\system32\AReadyLB.dll
2009-08-30 04:50 . 2009-05-12 18:13 53248 ------w- c:\windows\system32\BBInstaller.exe
2009-08-30 04:50 . 2009-05-12 18:13 229376 ------w- c:\windows\system32\AudDevicePlugin.dll
2009-08-30 04:50 . 2009-08-30 04:50 -------- d-----w- c:\program files\J River
2009-08-30 04:49 . 2009-08-30 04:50 -------- d-----w- c:\documents and settings\change me\Application Data\J River
2009-08-30 04:49 . 2009-08-30 04:50 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\J River
2009-08-29 17:16 . 2009-08-29 17:16 -------- d-----w- c:\documents and settings\change me\Application Data\GlarySoft
2009-08-29 17:16 . 2009-08-29 17:16 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\GlarySoft
2009-08-29 17:14 . 2009-08-29 17:14 -------- d-----w- c:\program files\Glary Utilities
2009-08-29 17:01 . 2009-08-29 17:01 -------- d-----w- c:\documents and settings\change me\Application Data\DAEMON Tools Pro
2009-08-29 17:01 . 2009-08-29 17:01 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\DAEMON Tools Pro
2009-08-29 16:51 . 2009-08-29 16:51 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-29 15:55 . 2009-08-29 15:55 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-29 12:48 . 2009-08-29 12:48 4141117 ----a-w- c:\documents and settings\change me\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe
2009-08-29 12:48 . 2009-08-29 12:48 6516755 ----a-w- c:\documents and settings\change me\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe
2009-08-29 12:44 . 2009-08-29 12:44 15884 ----a-w- c:\documents and settings\change me\Application Data\Azureus\plugins\azitunes\libProcessAccess.dll
2009-08-29 12:44 . 2009-08-29 12:44 102400 ----a-w- c:\documents and settings\change me\Application Data\Azureus\plugins\azitunes\jacob-1.14.3-x86.dll
2009-08-28 16:30 . 2009-08-28 19:06 -------- d-----w- c:\program files\Common Files\Real
2009-08-28 14:21 . 2009-08-28 14:21 -------- d-----w- c:\documents and settings\change me\Application Data\TuneUp Software
2009-08-28 14:21 . 2009-08-28 14:21 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\TuneUp Software
2009-08-28 13:43 . 2009-08-28 13:43 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-28 13:43 . 2009-08-28 13:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-08-28 12:44 . 2009-08-28 12:57 -------- d-----w- c:\documents and settings\change me\Application Data\Smart PC Solutions
2009-08-28 12:44 . 2009-08-28 12:57 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Smart PC Solutions
2009-08-28 05:09 . 2009-08-28 05:09 10684866 ----a-w- c:\documents and settings\change me\Application Data\Azureus\plugins\azump\mplayer.exe
2009-08-27 17:34 . 2009-08-27 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-08-27 17:34 . 2009-08-31 12:04 -------- d-----w- c:\documents and settings\change me\Application Data\Azureus
2009-08-27 17:34 . 2009-08-31 12:04 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Azureus
2009-08-27 17:34 . 2009-09-01 10:32 -------- d-----w- c:\program files\Vuze
2009-08-27 11:37 . 2009-08-31 11:09 -------- d-----w- c:\documents and settings\change me\.housecall6.6
2009-08-26 23:23 . 2009-08-27 00:07 -------- d-----w- c:\documents and settings\change me\Application Data\.ABC
2009-08-26 23:23 . 2009-08-27 00:07 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\.ABC
2009-08-26 15:46 . 2009-08-31 13:03 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-26 08:50 . 2009-08-26 08:50 -------- d-----w- c:\program files\Xilisoft
2009-08-25 09:10 . 2009-08-25 09:10 -------- d-----w- c:\documents and settings\change me\Application Data\Ahead
2009-08-25 09:10 . 2009-08-25 09:10 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Ahead
2009-08-25 08:54 . 2003-10-08 09:51 1298432 ----a-w- c:\windows\UNNMP.exe
2009-08-25 08:54 . 2003-10-08 09:51 1298432 ----a-w- c:\windows\UNNMP(3).exe
2009-08-25 08:54 . 2003-10-08 09:51 1298432 ----a-w- c:\windows\UNNMP(2).exe
2009-08-25 08:44 . 2009-08-25 15:09 -------- d-----w- c:\program files\Common Files\Ahead
2009-08-25 07:57 . 2009-08-25 07:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-25 07:57 . 2009-08-25 07:57 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-25 07:57 . 2009-08-25 07:57 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-25 07:57 . 2009-08-25 07:57 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-25 07:56 . 2009-09-01 08:05 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-25 07:56 . 2009-08-25 07:56 -------- d-----w- c:\program files\AVG
2009-08-25 07:55 . 2009-09-01 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-25 07:46 . 2009-08-25 07:46 -------- d-----w- c:\documents and settings\change me\Application Data\AVG8
2009-08-25 07:46 . 2009-08-25 07:46 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\AVG8
2009-08-24 07:58 . 2009-08-24 08:02 47360 ----a-w- c:\documents and settings\change me\Application Data\pcouffin.sys
2009-08-24 07:58 . 2009-08-24 07:58 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-08-24 07:58 . 2009-08-24 08:02 -------- d-----w- c:\documents and settings\change me\Application Data\Vso
2009-08-24 07:58 . 2009-08-24 08:02 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Vso
2009-08-23 07:00 . 2009-08-23 07:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2009-08-23 06:52 . 2009-08-23 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Uninstall
2009-08-23 06:52 . 2008-08-06 01:50 606208 ----a-w- c:\documents and settings\All Users\Application Data\Uninstall\{7919D8D9-69FB-4E94-B330-04C4AF251867}\bin\setupresENU.dll
2009-08-23 06:52 . 2008-08-05 13:42 4717040 ----a-w- c:\documents and settings\All Users\Application Data\Uninstall\{7919D8D9-69FB-4E94-B330-04C4AF251867}\setup.exe
2009-08-23 06:43 . 2009-08-23 06:43 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-08-23 06:37 . 2009-08-23 06:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-08-22 19:45 . 2009-08-22 19:45 -------- d-----w- c:\documents and settings\change me\Application Data\Azuaz Games
2009-08-22 19:45 . 2009-08-22 19:45 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Azuaz Games
2009-08-22 19:36 . 2009-08-22 19:36 -------- d-----w- c:\program files\GameTop.com
2009-08-22 06:25 . 2009-08-22 06:25 -------- d-----w- c:\program files\Defraggler
2009-08-21 16:58 . 2009-08-21 16:58 -------- d-----w- c:\program files\CCleaner
2009-08-21 09:12 . 2001-08-17 12:48 12160 -c----w- c:\windows\system32\dllcache\mouhid.sys
2009-08-21 09:12 . 2001-08-17 12:48 12160 ------w- c:\windows\system32\drivers\mouhid.sys
2009-08-20 06:51 . 2009-08-20 06:51 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-20 06:51 . 2009-08-20 06:51 -------- d-----w- C:\4fff99b4a3a7072f67382f9eaf43c24f
2009-08-17 08:17 . 2009-08-29 13:02 -------- d-----w- c:\program files\VS Revo Group
2009-08-16 11:00 . 2009-08-16 11:00 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Avanquest
2009-08-15 12:44 . 2009-08-15 12:45 -------- d--h--w- c:\windows\ie8
2009-08-15 11:12 . 2009-08-15 12:44 -------- dc----w- c:\windows\ie8(2)
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 11:07 . 2009-06-27 09:59 -------- d-----w- c:\program files\DNA
2009-09-01 11:06 . 2009-06-27 09:59 -------- d-----w- c:\documents and settings\change me\Application Data\DNA
2009-09-01 11:06 . 2009-06-27 09:59 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\DNA
2009-08-31 15:26 . 2009-06-14 07:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec(2)
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Slapdash Games
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\HiddenSecretsNightmare
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-08-31 12:42 . 2009-08-31 12:42 -------- d--h--w- c:\documents and settings\All Users\Application Data\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}
2009-08-30 08:20 . 2009-07-28 16:20 -------- d-----w- c:\program files\MpcStar
2009-08-29 18:30 . 2009-06-09 11:37 -------- d-----w- c:\program files\Yahoo!
2009-08-28 17:10 . 2009-06-09 11:37 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-28 17:10 . 2009-06-09 11:37 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-28 14:21 . 2009-06-28 22:49 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-08-28 13:19 . 2009-07-16 10:47 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-27 00:31 . 2009-05-30 14:41 19576 -c--a-w- c:\documents and settings\change me\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 08:02 . 2009-08-24 07:58 47360 ----a-w- c:\docume~1\CHANGE~1\APPLIC~1\pcouffin.sys
2009-08-23 14:56 . 2009-07-21 09:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-23 12:26 . 2009-07-14 15:15 1034056 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-23 06:52 . 2009-06-09 11:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-23 06:39 . 2009-06-09 11:37 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-21 16:49 . 2009-06-14 19:00 411368 -c----w- c:\windows\system32\deploytk.dll
2009-08-17 09:55 . 2009-06-21 09:47 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-17 08:29 . 2009-06-09 11:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-15 22:04 . 2009-06-23 14:31 -------- d-----w- c:\program files\Lx_cats
2009-08-15 20:33 . 2009-06-14 07:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-15 09:06 . 2009-07-08 15:26 -------- d-----w- c:\program files\Intel
2009-08-15 07:42 . 2009-07-25 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\page
2009-08-13 14:44 . 2009-07-14 09:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-11 15:00 . 2009-08-11 15:00 0 ------w- c:\windows\system32\drivers\Msft_User_M4iPodWPDDriver_01_07_00.Wdf
2009-08-11 15:00 . 2009-08-11 15:00 0 ------w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-08-09 20:02 . 2009-06-09 11:42 -------- d-----w- c:\documents and settings\change me\Application Data\Motive
2009-08-09 20:02 . 2009-06-09 11:42 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Motive
2009-08-09 09:10 . 2009-06-10 06:36 -------- d-----w- c:\documents and settings\change me\Application Data\Media Player Classic
2009-08-09 09:10 . 2009-06-10 06:36 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Media Player Classic
2009-08-07 10:40 . 2009-07-07 16:34 -------- d-----w- c:\program files\Microsoft.NET
2009-08-05 09:47 . 2009-07-28 16:27 -------- d-----w- c:\documents and settings\change me\Application Data\CometNetwork
2009-08-05 09:47 . 2009-07-28 16:27 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\CometNetwork
2009-08-05 09:01 . 2004-08-04 12:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-05 07:48 . 2009-06-09 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-02 20:07 . 2009-06-09 20:24 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-02 15:50 . 2009-08-31 17:00 38208 ----a-w- c:\documents and settings\admin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-02 10:04 . 2009-08-01 10:50 239 ----a-w- c:\windows\PowerReg.dat
2009-07-28 16:35 . 2009-07-28 16:22 -------- d-----w- c:\documents and settings\change me\Application Data\TigerPlayer
2009-07-28 16:35 . 2009-07-28 16:22 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\TigerPlayer
2009-07-28 16:27 . 2009-07-28 16:27 0 ----a-w- c:\windows\nsreg.dat
2009-07-28 09:20 . 2009-07-28 08:47 -------- d-----w- c:\program files\ffdshow
2009-07-28 08:57 . 2009-06-12 07:18 -------- d-----w- c:\program files\SourceTec
2009-07-26 09:26 . 2009-07-14 13:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-26 07:55 . 2009-07-26 07:55 3888 ------w- c:\windows\system32\drivers\NTHANDLE.SYS
2009-07-24 09:22 . 2009-07-24 09:22 -------- d-----w- c:\program files\Search Guard Plus
2009-07-24 06:50 . 2009-07-21 10:46 -------- d-----w- c:\program files\iolo
2009-07-24 06:50 . 2009-07-21 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2009-07-21 13:28 . 2009-07-20 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Systweak
2009-07-21 13:28 . 2009-07-20 14:51 -------- d-----w- c:\documents and settings\change me\Application Data\Systweak
2009-07-21 13:28 . 2009-07-20 14:51 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Systweak
2009-07-21 11:05 . 2009-07-21 00:21 518 ----a-w- c:\documents and settings\change me\Application Data\iolo\Registry\Last\restore.bat
2009-07-21 00:19 . 2009-07-21 00:19 1531 ----a-w- c:\documents and settings\change me\Application Data\iolo\restore.bat
2009-07-21 00:13 . 2009-07-21 00:01 -------- d-----w- c:\documents and settings\change me\Application Data\iolo
2009-07-21 00:13 . 2009-07-21 00:01 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\iolo
2009-07-21 00:06 . 2009-07-21 00:06 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo
2009-07-21 00:02 . 2009-07-21 00:02 74703 ------w- c:\windows\system32\mfc45.dll
2009-07-20 20:59 . 2004-08-04 12:00 182656 -c----w- c:\windows\system32\drivers\ndis.sys
2009-07-20 18:20 . 2009-07-20 18:20 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-07-20 18:20 . 2009-06-09 11:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-07-20 15:08 . 2009-07-20 15:06 30996544 ----a-w- c:\documents and settings\change me\Application Data\Systweak\ASO 2\UpdateASPnew.exe
2009-07-19 18:17 . 2009-07-19 18:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\agi
2009-07-19 18:15 . 2009-07-19 18:15 339968 ------w- c:\windows\system32\pythoncom25.dll
2009-07-19 18:15 . 2009-07-19 18:15 114688 ------w- c:\windows\system32\pywintypes25.dll
2009-07-19 18:15 . 2009-07-19 18:15 2117632 ------w- c:\windows\system32\python25.dll
2009-07-17 19:23 . 2009-07-17 19:23 -------- d-----w- c:\documents and settings\change me\Application Data\Windows Live Writer
2009-07-17 19:23 . 2009-07-17 19:23 -------- d-----w- c:\docume~1\CHANGE~1\APPLIC~1\Windows Live Writer
2009-07-17 19:22 . 2009-06-09 18:40 -------- d-----w- c:\program files\Windows Live
2009-07-17 19:21 . 2009-07-17 19:21 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-07-17 19:01 . 2004-08-04 12:00 58880 ------w- c:\windows\system32\atl.dll
2009-07-17 17:58 . 2009-07-17 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-07-17 09:56 . 2009-06-12 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-07-16 13:17 . 2009-07-06 18:18 1474832 ------w- c:\windows\system32\drivers\sfi.dat
2009-07-14 14:41 . 2009-07-14 13:55 -------- d-----w- c:\program files\Microsoft SQL Server
2009-07-14 14:03 . 2009-07-14 14:03 -------- d-----w- c:\program files\MSXML 6.0
2009-07-14 13:53 . 2009-07-14 13:53 193824 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2009-07-14 13:51 . 2009-07-14 13:51 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-07-14 08:21 . 2009-07-14 08:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-07-13 22:43 . 2007-12-31 10:31 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-13 13:22 . 2009-07-13 13:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-11 17:24 . 2009-06-09 11:36 -------- d-----w- c:\program files\Common Files\Motive
2009-07-09 10:37 . 2009-07-09 10:37 -------- d-----w- c:\program files\Microsoft SDKs
2009-07-08 14:48 . 2009-07-08 14:48 23600 ------w- c:\windows\system32\drivers\TVICHW32.SYS
2009-07-08 14:28 . 2009-07-08 14:28 -------- d-----w- c:\program files\Intel Corporation
2009-07-08 13:50 . 2009-07-08 13:50 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-07-08 13:50 . 2009-07-08 13:50 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2009-07-06 03:40 . 2009-08-15 09:04 2838454 ----a-w- c:\documents and settings\All Users\Application Data\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}\speedupmypc2009.exe
2009-07-06 03:40 . 2009-08-15 09:04 2838454 ----a-w- c:\documents and settings\All Users\Application Data\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}(3)\speedupmypc2009.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-25 2007832]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-25 07:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Search Protection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25766:TCP"= 25766:TCP:BitComet 25766 TCP
"25766:UDP"= 25766:UDP:BitComet 25766 UDP
"65535:TCP"= 65535:TCP:BitComet 65535 TCP
"65535:UDP"= 65535:UDP:BitComet 65535 UDP
"12863:TCP"= 12863:TCP:BitComet 12863 TCP
"12863:UDP"= 12863:UDP:BitComet 12863 UDP
"20422:TCP"= 20422:TCP:BitComet 20422 TCP
"20422:UDP"= 20422:UDP:BitComet 20422 UDP
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/25/2009 08:57 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/25/2009 08:57 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 16:06 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/25/2009 08:56 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/25/2009 08:56 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [7/17/2009 20:22 55152]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R3 CAM1690;USB 2.0 Compliance JPEG Video Camera;c:\windows\system32\drivers\cam1690.sys [4/10/2008 11:31 177280]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [6/23/2009 16:07 99248]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 19:19 13592]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [7/28/2009 15:17 16512]
S3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\drivers\digirlpt.sys [8/10/2009 07:03 42432]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 18:08 533360]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 13:00 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 16:06 7408]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/11/2008 01:28 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 03:09 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 03:23 366936]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2009-09-01 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-08-29 15:09]
2009-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-436374069-725345543-1003Core.job
- c:\documents and settings\change me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-10 07:33]
2009-09-01 c:\windows\Tasks\User_Feed_Synchronization-{C696E61C-6D6E-4E34-97DF-FF9D5594657B}.job
- c:\windows\system32\msfeedssync.exe [2007-12-31 03:31]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-BitTorrent DNA - c:\program files\DNA\btdna.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.bt.yahoo.com/
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
LSP: c:\windows\system32\SecureNet.dll
Trusted Zone: motive.com\pbttbc.bt
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 13:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8d,84,93,df,33,82,70,46,8e,9b,18,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8d,84,93,df,33,82,70,46,8e,9b,18,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1016)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2952)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-01 13:35
ComboFix-quarantined-files.txt 2009-09-01 12:35
ComboFix2.txt 2009-09-01 07:17
Pre-Run: 102,125,826,048 bytes free
Post-Run: 102,122,090,496 bytes free
394 --- E O F --- 2009-09-01 06:47
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:11:25, on 9/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} -
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe
--
End of file - 8440 bytes
Bio-Hazard
2009-09-01, 18:22
Hello!
Do NOT attach the logs, please post them even if it takes several posts to make.
Remove programs
Click Start
Go to Control Panel
Go to Add/Remove Programs
Find and click Remove for the following (if present):
Spycheck Antispyware
NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.
Remove HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} -
Close all open windows and browsers/email etc...
Click on the Fix Checked button
When completed close the application.
Back Up registry with ERUNT
Please use the following link and scroll down to ERUNT and download it on to your desktop. HERE (http://www.derfisch.de/lars/erunt-setup.exe)
Click on the erunt-setup.exe
Follow the prompts to install ERUNT
Choose language
A set up window will pop up. It will ask: Create ERUNT entry in to the Start up folder, answer NO
http://i219.photobucket.com/albums/cc99/BioHazard_030/erunt.png
Backup your registry to the default location
Note: To restore your registry (if needed), go to the folder and start ERDNT.exe
Download and run OTM
Download OTM (http://oldtimer.geekstogo.com/OTM.exe) by Old Timer and save it to your Desktop.
Double-click OTM.exe to run it.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area. Do not include the word Code.
:Files
C:\exefix.reg
c:\program files\DNA
c:\documents and settings\Administrator\Application Data\DNA
c:\documents and settings\change me\Application Data\Azureus
c:\documents and settings\All Users\Application Data\Azureus
c:\docume~1\CHANGE~1\APPLIC~1\Azureus
c:\program files\Vuze
c:\program files\Exterminate It!
c:\documents and settings\change me\Application Data\Smart PC Solutions
c:\docume~1\CHANGE~1\APPLIC~1\Smart PC Solutions
c:\documents and settings\change me\Application Data\.ABC
c:\docume~1\CHANGE~1\APPLIC~1\.ABC
C:\WINDOWS\Downloaded Installations\{CA96CAAA-F816-4CB5-9676-6A3FCCB81468}\Spycheck Antispyware.msi
:Reg
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Vuze\\Azureus.exe"=-
"c:\\Program Files\\DNA\\btdna.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25766:TCP"=-
"25766:UDP"=-
"65535:TCP"=-
"65535:UDP"=-
"12863:TCP"=-
"12863:UDP"=-
"20422:TCP"=-
"20422:UDP"=-
:Commands
[emptytemp]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php) and save it to your desktop.
Alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
Alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the Perform Full Scan option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
Malwarebytes Antimalware log
OTM Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
brian480
2009-09-01, 20:33
Malwarebytes' Anti-Malware 1.40
Database version: 2726
Windows 5.1.2600 Service Pack 3
9/1/2009 19:21:38
mbam-log-2009-09-01 (19-21-38).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 162441
Time elapsed: 47 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
All processes killed
========== FILES ==========
C:\exefix.reg moved successfully.
c:\program files\DNA\plugins moved successfully.
c:\program files\DNA moved successfully.
c:\documents and settings\Administrator\Application Data\DNA moved successfully.
c:\documents and settings\change me\Application Data\Azureus\torrents moved successfully.
c:\documents and settings\change me\Application Data\Azureus\tmp moved successfully.
c:\documents and settings\change me\Application Data\Azureus\subs moved successfully.
c:\documents and settings\change me\Application Data\Azureus\shares moved successfully.
c:\documents and settings\change me\Application Data\Azureus\plugins\vuzexcode\tmp moved successfully.
c:\documents and settings\change me\Application Data\Azureus\plugins\vuzexcode\profiles moved successfully.
c:\documents and settings\change me\Application Data\Azureus\plugins\vuzexcode moved successfully.
c:\documents and settings\change me\Application Data\Azureus\plugins\azupnpav moved successfully.
c:\documents and settings\change me\Application Data\Azureus\plugins\azump\mplayer moved successfully.
c:\documents and settings\change me\Application Data\Azureus\plugins\azump moved successfully.
c:\documents and settings\change me\Application Data\Azureus\plugins\azitunes moved successfully.
c:\documents and settings\change me\Application Data\Azureus\plugins moved successfully.
c:\documents and settings\change me\Application Data\Azureus\net moved successfully.
c:\documents and settings\change me\Application Data\Azureus\media\azpd moved successfully.
c:\documents and settings\change me\Application Data\Azureus\media moved successfully.
c:\documents and settings\change me\Application Data\Azureus\logs\save moved successfully.
c:\documents and settings\change me\Application Data\Azureus\logs moved successfully.
c:\documents and settings\change me\Application Data\Azureus\dht moved successfully.
c:\documents and settings\change me\Application Data\Azureus\devices moved successfully.
c:\documents and settings\change me\Application Data\Azureus\cache moved successfully.
c:\documents and settings\change me\Application Data\Azureus\active moved successfully.
c:\documents and settings\change me\Application Data\Azureus moved successfully.
c:\documents and settings\All Users\Application Data\Azureus moved successfully.
File/Folder c:\docume~1\CHANGE~1\APPLIC~1\Azureus not found.
c:\program files\Vuze\plugins\azemp\mplayer moved successfully.
c:\program files\Vuze\plugins\azemp moved successfully.
c:\program files\Vuze\plugins moved successfully.
c:\program files\Vuze moved successfully.
c:\program files\Exterminate It!\dbs moved successfully.
c:\program files\Exterminate It! moved successfully.
c:\documents and settings\change me\Application Data\Smart PC Solutions moved successfully.
File/Folder c:\docume~1\CHANGE~1\APPLIC~1\Smart PC Solutions not found.
c:\documents and settings\change me\Application Data\.ABC\icons moved successfully.
c:\documents and settings\change me\Application Data\.ABC moved successfully.
File/Folder c:\docume~1\CHANGE~1\APPLIC~1\.ABC not found.
C:\WINDOWS\Downloaded Installations\{CA96CAAA-F816-4CB5-9676-6A3FCCB81468}\Spycheck Antispyware.msi moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List not found.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List not found.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.
========== COMMANDS ==========
[EMPTYTEMP]
User: admin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 5859 bytes
User: All Users
User: change me
->Temp folder emptied: 78454153 bytes
->Temporary Internet Files folder emptied: 57336447 bytes
->Java cache emptied: 128020 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP folder deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 22016 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 8482 bytes
Total Files Cleaned = 129.66 mb
OTM by OldTimer - Version 3.0.0.6 log created on 09012009_182351
Files moved on Reboot...
Registry entries deleted on Reboot...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:24:34, on 9/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe
--
End of file - 8465 bytes
windows defender still wont start and spy bot wont start i keep getting windows updates for windows mallicious software removal tool i install it fine then pops up again to install again
Bio-Hazard
2009-09-01, 21:22
Download and run Win32kDiag
Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
Download and use fr33.exe
http://img.photobucket.com/albums/v666/sUBs/Fr33_mbam.gif
Please download this FILE (http://download.bleepingcomputer.com/sUBs/Beta/fr33.exe)
Place fr33.exe into Windows Defender folder
Locate and then using your mouse, drag windows defnder exefile into fr33.exe.
That shall free it
Repeat the same with Sbybot.
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
Win32kDiag.txt
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
brian480
2009-09-01, 22:08
Log file is located at: C:\Documents and Settings\change me\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Cannot access: C:\WINDOWS\system32\MRT.exe
[1] 2009-07-29 17:49:16 24281536 C:\WINDOWS\system32\MRT.exe ()
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:02:43, on 9/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
--
End of file - 8358 bytes
there both working great now just my updates still doing the same (i install them fine then it prompts me to install them again) thank you so much :thanks:Bio-Hazard
Bio-Hazard
2009-09-01, 22:32
Hello!
Are you able to get other windows updates? Is this problem only with windows mallicious software removal tool?
Download and use fr33.exe
http://img.photobucket.com/albums/v666/sUBs/Fr33_mbam.gif
Place fr33.exe into C:\WINDOWS\system32 folder
Locate and then using your mouse, drag MRT.exe[ exefile into fr33.exe.
That shall free it
Let me know how it went.
brian480
2009-09-01, 23:16
thank you i done as you said then tried to install the update again it worked great thanks i went onto microsoft update and tried to install optional update which was in hardware for my mouse it downloaded fine then as it tried to install the computer shut itself of it tried to resart 3 times then took me to the start in safe mode page. which i tried would not start again i started it in most recent good ---- sorry cant remember the rest i tried another update search 4.0 for xp that downloaded and installed great i dont know why my pc done that its never happened before
Bio-Hazard
2009-09-02, 08:34
Hello!
So how are things running now? Are you experiencing any problems?
Can you post a new Hijakthis log for me to see.
brian480
2009-09-02, 08:52
hello
tried the computer this morning everything seems fine had a number of security updates which installed fine. Here's the log you asked for Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:45:15, on 9/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
--
End of file - 8438 bytes
Thank you once again bio-hazard
brian480
2009-09-02, 09:09
hello Bio-Hazard can you tell me why mcaffee is still runnin on my computer i just noticed it reading through the logs there. I had bt-Mcaffee internet security but deleted it a few month ago
Bio-Hazard
2009-09-02, 09:43
Hello!
Sometimes when programs dont fully uninstall. So let see if we can get rid of th Mcafee stuff.
Re-run OTM
Double-click OTM.exe to run it.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area. Do not include the word Code.
:Services
McNASvc
:Files
C:\Program Files\Common Files\mcafee
c:\documents and settings\All Users\Application Data\Symantec(2)
c:\documents and settings\All Users\Application Data\McAfee
c:\documents and settings\All Users\Application Data\Symantec
c:\documents and settings\All Users\Application Data\Symantec(2)(3)
c:\documents and settings\All Users\Application Data\McAfee(4)
c:\documents and settings\All Users\Application Data\Symantec(4)
c:\documents and settings\All Users\Application Data\NortonInstaller(3)
c:\documents and settings\All Users\Application Data\McAfee(2)
c:\documents and settings\All Users\Application Data\NortonInstaller
:Commands
[emptytemp]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
OTM Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
brian480
2009-09-02, 10:21
All processes killed
========== SERVICES/DRIVERS ==========
Service\Driver McNASvc deleted successfully.
========== FILES ==========
C:\Program Files\Common Files\McAfee\MSC\mcutil\9,11,100,0 moved successfully.
C:\Program Files\Common Files\McAfee\MSC\mcutil moved successfully.
C:\Program Files\Common Files\McAfee\MSC moved successfully.
C:\Program Files\Common Files\McAfee\MNA moved successfully.
C:\Program Files\Common Files\McAfee moved successfully.
c:\documents and settings\All Users\Application Data\Symantec(2)\LiveUpdate(2)\LuRegManifests(2) moved successfully.
c:\documents and settings\All Users\Application Data\Symantec(2)\LiveUpdate(2) moved successfully.
c:\documents and settings\All Users\Application Data\Symantec(2) moved successfully.
c:\documents and settings\All Users\Application Data\McAfee\MNA moved successfully.
c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\MISP\mcnasvc moved successfully.
c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\MISP moved successfully.
c:\documents and settings\All Users\Application Data\McAfee\MCLOGS moved successfully.
c:\documents and settings\All Users\Application Data\McAfee moved successfully.
c:\documents and settings\All Users\Application Data\Symantec\SyKnAppS moved successfully.
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Static moved successfully.
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests moved successfully.
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate moved successfully.
c:\documents and settings\All Users\Application Data\Symantec\Common Client\Temp moved successfully.
c:\documents and settings\All Users\Application Data\Symantec\Common Client moved successfully.
c:\documents and settings\All Users\Application Data\Symantec\Cleanup moved successfully.
c:\documents and settings\All Users\Application Data\Symantec moved successfully.
c:\documents and settings\All Users\Application Data\Symantec(2)(3)\LiveUpdate(2)\LuRegManifests(2) moved successfully.
c:\documents and settings\All Users\Application Data\Symantec(2)(3)\LiveUpdate(2) moved successfully.
c:\documents and settings\All Users\Application Data\Symantec(2)(3) moved successfully.
c:\documents and settings\All Users\Application Data\McAfee(4)\MNA moved successfully.
c:\documents and settings\All Users\Application Data\McAfee(4)\MCLOGS\MISP\mcnasvc moved successfully.
c:\documents and settings\All Users\Application Data\McAfee(4)\MCLOGS\MISP moved successfully.
c:\documents and settings\All Users\Application Data\McAfee(4)\MCLOGS moved successfully.
c:\documents and settings\All Users\Application Data\McAfee(4) moved successfully.
c:\documents and settings\All Users\Application Data\Symantec(4)\SyKnAppS moved successfully.
c:\documents and settings\All Users\Application Data\Symantec(4)\LiveUpdate\LuRegManifests\Static moved successfully.
c:\documents and settings\All Users\Application Data\Symantec(4)\LiveUpdate\LuRegManifests moved successfully.
c:\documents and settings\All Users\Application Data\Symantec(4)\LiveUpdate moved successfully.
c:\documents and settings\All Users\Application Data\Symantec(4)\Common Client\Temp moved successfully.
c:\documents and settings\All Users\Application Data\Symantec(4)\Common Client moved successfully.
c:\documents and settings\All Users\Application Data\Symantec(4)\Cleanup moved successfully.
c:\documents and settings\All Users\Application Data\Symantec(4) moved successfully.
c:\documents and settings\All Users\Application Data\NortonInstaller(3)\Settings moved successfully.
c:\documents and settings\All Users\Application Data\NortonInstaller(3)\Logs\06-29-2009-17h25m46s moved successfully.
c:\documents and settings\All Users\Application Data\NortonInstaller(3)\Logs\06-29-2009-15h28m47s moved successfully.
c:\documents and settings\All Users\Application Data\NortonInstaller(3)\Logs moved successfully.
c:\documents and settings\All Users\Application Data\NortonInstaller(3) moved successfully.
c:\documents and settings\All Users\Application Data\McAfee(2)\MNA moved successfully.
c:\documents and settings\All Users\Application Data\McAfee(2)\MCLOGS\MISP\mcnasvc moved successfully.
c:\documents and settings\All Users\Application Data\McAfee(2)\MCLOGS\MISP moved successfully.
c:\documents and settings\All Users\Application Data\McAfee(2)\MCLOGS moved successfully.
c:\documents and settings\All Users\Application Data\McAfee(2) moved successfully.
c:\documents and settings\All Users\Application Data\NortonInstaller\Settings moved successfully.
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\06-29-2009-17h25m46s moved successfully.
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\06-29-2009-15h28m47s moved successfully.
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs moved successfully.
c:\documents and settings\All Users\Application Data\NortonInstaller moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
User: All Users
User: change me
->Temp folder emptied: 120320 bytes
->Temporary Internet Files folder emptied: 47669219 bytes
->Java cache emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 2688 bytes
->Temporary Internet Files folder emptied: 33170 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 35781 bytes
RecycleBin emptied: 1831486 bytes
Total Files Cleaned = 47.42 mb
OTM by OldTimer - Version 3.0.0.6 log created on 09022009_091138
Files moved on Reboot...
Registry entries deleted on Reboot...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:19:41, on 9/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
--
End of file - 8309 bytes
brian480
2009-09-02, 10:23
my pc seems to be running fine windows explorer seems to take forever to load a page up though thank you once again
Bio-Hazard
2009-09-02, 10:40
Hello!
Your logs are clean of malware.
Your log now appears to be clean. Congratulations!
You can get rid of the tools we used:
DDS - (You can just delete the exe file from your desktop)
SysProt - (You can just delete the exe file from your desktop)
fr33.exe - (You can just delete the exe file from your desktop)
ATF cleaner - (You can just delete the exe file from your desktop)
Win32kDiag - (You can just delete the exe file from your desktop)
ERUNT - (You can uninstall it from Add/Remove Programs)
Delete ComboFix and Clean Up
Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
http://i147.photobucket.com/albums/r301/DFW_photos/CF_Cleanup.png
Please advise if this step is missed for any reason as it performs some important actions.
OTC
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.
[list]
Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site (http://update.microsoft.com/microsoftupdate) on a regular basis.
NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
Update Non-Microsoft Programs
Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) or F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html). I suggest that you run one of them at least once a month.
Recommended Programs
I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.
WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE (http://www.winpatrol.com/).
SpywareBlaster
SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE (http://www.webopedia.com/TERM/A/ActiveX_control.html). You can download SpywareBlaster from HERE (http://www.javacoolsoftware.com/sbdownload.html).
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE (http://www.malwarebytes.org/mbam.php). Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926) and Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913).
Hosts File
For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE (http://forum.malwareremoval.com/viewtopic.php?t=22187) and for more information regarding host files read HERE (http://www.mvps.org/winhelp2002/hosts.htm).
Use an alternative Internet Browser
Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead: Firefox (http://www.mozilla.com/en-US/firefox/) or Opera (http://www.opera.com/download/) or Google Chrome (http://www.google.com/chrome)
Here is a great article by miekiemoes How to prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html).
Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php). You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.
I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
Happy surfing and stay clean!
Bio-Hazard
brian480
2009-09-02, 11:23
I have read your suggestions and added some of them to my computer thank you so much for your help:thanks:
Bio-Hazard
2009-09-02, 12:22
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.