View Full Version : Whatever it is is won't even let HJT run
This is the most evil bug I have ever encountered. Came from a website. Immediately Google started sending me to random places. Then AVG, S&D, and Ad-Aware all failed. Even the Windows backup program says that it's not installed. I came here and followed the Before You Post instructions as far as I could. ERUNT appears to have completed it's task. But HJT, after install, ran for a minute then closed without creating a file. All attemps to start it again only gives me the message: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item". What can I say but Help!
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
Step # 1 Download and Run exeHelper
Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Step # 2 Download and run DDS
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Step # 3 Download and run RootRepeal
We Need to check for Rootkits with RootRepeal
Download RootRepeal from the following location and save it to your desktop.
Direct Download (Recommended)
Primary Mirror (http://ad13.geekstogo.com/RootRepeal.exe)
Secondary Mirror (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Secondary Mirror (http://rootrepeal.psikotick.com/RootRepeal.exe)
Secondary Mirror (http://ad13.geekstogo.com/RootRepeal.exe)
Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
Primary Mirror (http://rootrepeal.googlepages.com/RootRepeal.zip)
Secondary Mirror (http://ad13.geekstogo.com/RootRepeal.zip)
Secondary Mirror (http://rootrepeal.psikotick.com/RootRepeal.zip)
Rar Mirrors - Only if you know what a RAR is and can extract it.
Primary Mirror (http://ad13.geekstogo.com/RootRepeal.rar)
Secondary Mirror (http://ad13.geekstogo.com/RootRepeal.rar)
Secondary Mirror (http://rootrepeal.psikotick.com/RootRepeal.rar)
Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check all seven boxes: http://billy-oneal.com/forums/rootRepeal/checkBoxes2.png
Push Ok
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
In your next post/reply, I need to see the following:
1. exeHelper Log
2. The two DDS Logs (DDS and Attach.txt)
3. RootRepeal Log
Use multiple posts if you can't fit everything into one post.
Cannot download exeHelper from raktor.net. The following two errors occur on two different machines. The infected one and my laptop which is not infected.
First message is from Windows: "Cannot copy exeHelper[1]: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use."
Second message is from AVG:
"File Name: C:\Documents and Settings\<name>\Local Settings\Temporary Internet Files\Content.IE5\A6EF19YK\exeHelper[1].com
Threat Name: Virus found Downloader.Banload"
RE DDS (fyi): First link brings up a page that says "Page not found". Second link worked OK and downloaded dds.scr. Third link failed twice with a runtime error before it finally downloaded dds with no extension.
RootRepeal.exe downloaded with no problems.
Since I could not download exeHelper I have not done anything but download the remaining files.
Pressing question: I use both ACT! 11 (a SQL database CRM tool), and Outlook 2007 extensively in my business. I have been afraid to use either of these since this bug took hold. Are either of these programs, or their data, in danger?
Thank you for your help. I am eagerly awaiting your response.
Cannot download exeHelper from raktor.net. The following two errors occur on two different machines. The infected one and my laptop which is not infected.
First message is from Windows: "Cannot copy exeHelper[1]: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use."
Second message is from AVG:
"File Name: C:\Documents and Settings\<name>\Local Settings\Temporary Internet Files\Content.IE5\A6EF19YK\exeHelper[1].com
Threat Name: Virus found Downloader.Banload"
Hmmm..that's strange, never had that happen before with exeHelper. Did the first message happen when you tried to download it to the Desktop (on either the clean or infected computer)? Or did it happen when you tried to copy it to a USB/Flash Drive on the clean computer to transfer it over to the infected computer?
exeHelper.com is not a malicious file, don't know why AVG is saying it is. I see that AVG says that exeHelper was saved in the Temporary Internet Files. Make sure that its saved on the Desktop when you download it. If you're able to copy exeHelper over successfully make sure that AVG is disabled (you can disconnect the infected comp from the 'Net, if it isn't already) so it won't pick up exeHelper.
See if you get exeHelper to download and run, if you can't we'll go ahead and skip it for now.
Pressing question: I use both ACT! 11 (a SQL database CRM tool), and Outlook 2007 extensively in my business. I have been afraid to use either of these since this bug took hold. Are either of these programs, or their data, in danger?
The bug you have can stop .exe files from runnning, saying that you don't have the proper permissions to run them, like HJT. I would stay away from running those two programs for now. Their data should be safe, but I'd stay away until we've cleaned up your machine.
=====================
Go ahead and run DDS and RootRepeal and post their logs in your next post. Also post exeHelper's log, if you can.
The first error message appears to be generated by Windows. As I understand it, when Windows downloads a file it downloads it first to the temp directory and then when completed it writes it to the designated folder. I interpret the error message Windows is giving me as meaning that Windows is not being allowed copy that temp download file to the destination desktop. Subsequently the download fails and the temp downloaded file is deleted.
The second message is generated by AVG. It has obviously tracked the download, found that the file contained a virus named Downloader.Banload and subsequently banished it to the virus vault. But since the download never completes the file, exeHelper.com, is nowhere to be found on my computer.
What is Downloader.Banload?
NEXT: I attempted to run dds.scr. All it does is open a cmd prompt window and give me the following message.
"As per the instruction you would have received, kindly ensure any onboard script blocking tools have been disabled for they shall interfere with DDS.
DDS is a non-invasive diagnostic tool.
-- DDs makes no registry writes/changes
-- DDS does not create any permanent files/folders.
This scan should not take longer than three minutes to complete.
When the scan is complete, a logfile/report shall pop open.
Post the contents of the logfiel to the forum where it was requested
We only require it to run just once. Dispose after use.
-- "
This stays open for several seconds then closes. No logfile is ever generated that I can find.
What is a script blocking tool and where would I go to disable it?
NEXT: I ran RootRepeal as per your instructions. After clickin OK in step 8 the program ran for about ten seconds and then quit and disappeared from the screen. It never reached step 10. It did, however, generate a settings.dat file, but it is empty. Also, I am unable to run the program a second time. Neither can I delete it, rename it or move it.
It looks this infection is blocking our tools from running. :sad: Don't worry, we'll get it. :) And since RootRepeal didn't work, we'll try another Rootkit scanner as well.
What is Downloader.Banload?
http://www.pctools.com/mrc/infections/id/Trojan-Downloader.Banload
I still think its strange that AVG is picking up exeHelper as downloader.banload. I still think its a False Positive. It's possible that AVG is picking up part of exeHelper as malcious, even though its intended use is not.
What is a script blocking tool and where would I go to disable it?
Script blocking tools are your Anti-Virus and Anti-Spyware tools. In your first post, you mention AVG, S&D, and Ad-Aware.
To disable AVG, do the following:
If you have AVG 7
Please open the AVG7 Control Center.
Double-click on the "AVG Resident Shield" component (looks like this: http://i100.photobucket.com/albums/m7/dasaki/Clipboard02-1.jpg).
Deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, reopen the AVG Control Center.
Double-click on the "AVG Resident Shield" component, select the "Turn on AVG Resident Shield" checkmark and save the setting.
If you have AVG 8
Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar.
Click on Tools.
Select Advanced.
In the left hand pane, scroll down to "Resident Shield".
In the main pane, deselect the option to "Enable Resident Shield."
To re-enable AVG 8, please select "Enable Resident Shield" again.
If you have AVG 8.5
Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.
Click on Open AVG Interface.
Double click on Resident Shield
Deselect the option to "Enable Resident Shield."
Save changes, and exit the application.
To re-enable AVG 8.5, please select "Enable Resident Shield" again.
For Ad-Aware, if you have Ad-Watch running, do the following:
Disable Ad-Aware Ad-Watch until the computer is clean
Ad-Aware's Ad-Watch normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.
- Right click on the Ad-Watch icon in the system tray.
- At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
- Uncheck both of those boxes.
2007:
To turn off Ad-Watch please right click the system tray icon and click the "Close Ad-Watch" selection and the
select "Yes" when the confirmation window appears.
If you have Teatimer running with Spybot S&D, do the following:
Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.
This is a two step process.
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
After you've disabled what you can, try running DDS again.
I'd like also for you to do this as well:
Step # 1 Download and run Win32kDiag
Please save this (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe) file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
Step # 2 Download and run SysProt
Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).
http://sites.google.com/site/sysprotantirootkit/
Unzip it into a folder on your desktop.
Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items only:
Process
Kernel Modes
SSDT
Kernel Hooks
Hidden Files
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
In your next post/reply, I need to see the following:
1. The two DDS Logs, if available
2. Win32kdiag Log
3. SysProt Log
After turning off everything like you suggested I went and downloaded exehelper.com again. This time successfully. Below are results from every one of your recommended tools that I could actually get to run, and the results from those that I could not. I'm really pleased that I could finally get any of them to run. Whew! I am encouraged.
I'm feeling confident that my data is safe, and the more I get into this and think about how much damage has likely been done to an untold number of programs that I'm about ready to bite the bullet and just rebuild. But not until I've completed your program. Thanks for this help. Seriously!
================================
::: Results of exehelper.com :::
exeHelper by Raktor - 09
Build 20090919
Run at 20:14:49 on 09/23/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
::: Results of dds.scr :::
DDS still does not run.
::: Results of RootRepeal :::
Original version would not run. Downloaded it a second time, to a different location.
Results were the same. It ran for about 10 seconds, closed and created an empty settings.dat file.
Will not run a second time.
::: Results of Win32Diag :::
Running from: C:\Documents and Settings\Geoff\Desktop\SaferNetworking\Win32kDiag.exe
Log file at : C:\Documents and Settings\Geoff\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP354.tmp\ZAP354.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP37F.tmp\ZAP37F.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP413.tmp\ZAP413.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe
[1] 2004-08-04 00:56:52 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)
[1] 2008-04-13 17:12:21 744448 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe ()
[1] 2008-04-13 17:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)
Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\repair\Backup\BootableSystemState\BootableSystemState
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-04 00:56:44 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 17:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Cannot access: C:\WINDOWS\system32\ntbackup.exe
[1] 2004-08-04 00:56:56 1200128 C:\WINDOWS\$NtServicePackUninstall$\ntbackup.exe (Microsoft Corporation)
[1] 2008-04-13 17:12:30 1200640 C:\WINDOWS\ServicePackFiles\i386\ntbackup.exe (Microsoft Corporation)
[1] 2008-04-13 17:12:30 1200640 C:\WINDOWS\system32\ntbackup.exe ()
Found mount point : C:\WINDOWS\Temp\ActInst\ActInst
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\ACTInstLog\ACTInstLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\cs\cs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\da\da
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\de\de
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\el\el
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\en\en
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\en-gb\en-gb
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\es\es
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\fi\fi
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\fr\fr
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\HTML\HTML
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\it\it
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\ja\ja
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\ko\ko
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\nl\nl
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\no\no
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\pl\pl
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\pt-br\pt-br
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\ru\ru
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\sv\sv
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\th\th
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\tr\tr
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\zh-cn\zh-cn
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\gis6ada7\2.4.1536.6592\zh-tw\zh-tw
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Vbox\Data\Data
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Vbox\Installers\Installers
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Vbox\PackingSlips\PackingSlips
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Finished!
::: Results of Sysprot.exe :::
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No
Name: System
PID: 4
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\smss.exe
PID: 444
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\csrss.exe
PID: 500
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\winlogon.exe
PID: 524
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\services.exe
PID: 568
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\lsass.exe
PID: 580
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 732
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 816
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 912
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 964
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1020
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1152
Hidden: No
Window Visible: No
Name: C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PID: 1172
Hidden: No
Window Visible: No
Name: C:\WINDOWS\explorer.exe
PID: 1452
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\kmw_run.exe
PID: 1732
Hidden: No
Window Visible: No
Name: C:\PROGRA~1\AVG\AVG8\avgtray.exe
PID: 1752
Hidden: No
Window Visible: No
Name: C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
PID: 1764
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\kmw_show.exe
PID: 1784
Hidden: No
Window Visible: No
Name: C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe
PID: 1820
Hidden: No
Window Visible: No
Name: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 1856
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\tbctray.exe
PID: 1864
Hidden: No
Window Visible: No
Name: C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
PID: 1888
Hidden: No
Window Visible: Yes
Name: C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
PID: 1896
Hidden: No
Window Visible: No
Name: C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PID: 1916
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\ctfmon.exe
PID: 1940
Hidden: No
Window Visible: No
Name: C:\PROGRA~1\MICROS~4\rapimgr.exe
PID: 2008
Hidden: No
Window Visible: No
Name: C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
PID: 368
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\spoolsv.exe
PID: 472
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 852
Hidden: No
Window Visible: No
Name: C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
PID: 1316
Hidden: No
Window Visible: No
Name: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
PID: 1396
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\CTSVCCDA.EXE
PID: 1560
Hidden: No
Window Visible: No
Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 1676
Hidden: No
Window Visible: No
Name: C:\PROGRA~1\AVG\AVG8\avgam.exe
PID: 1836
Hidden: No
Window Visible: No
Name: C:\Program Files\AVG\AVG8\avgrsx.exe
PID: 1216
Hidden: No
Window Visible: No
Name: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
PID: 1904
Hidden: No
Window Visible: No
Name: C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PID: 2256
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PID: 2520
Hidden: No
Window Visible: No
Name: C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PID: 2544
Hidden: No
Window Visible: No
Name: C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PID: 2592
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 2660
Hidden: No
Window Visible: No
Name: C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PID: 2708
Hidden: No
Window Visible: No
Name: C:\Program Files\UPHClean\uphclean.exe
PID: 2736
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\searchindexer.exe
PID: 2800
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\alg.exe
PID: 3884
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\find.exe
PID: 1580
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\searchprotocolhost.exe
PID: 3508
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\searchfilterhost.exe
PID: 1668
Hidden: No
Window Visible: No
Name: C:\Documents and Settings\Geoff\Desktop\SaferNetworking\SysProt\SysProt\SysProt\SysProt.exe
PID: 3832
Hidden: No
Window Visible: Yes
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Geoff\Desktop\SaferNetworking\SysProt\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: B17B6000
Module End: B17C1000
Hidden: No
Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806FF000
Hidden: No
Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806FF000
Module End: 8071FD00
Hidden: No
Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7CEE000
Module End: F7CF0000
Hidden: No
Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F7BFE000
Module End: F7C01000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F779F000
Module End: F77CD000
Hidden: No
Module Name: \WINDOWS\System32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7CF0000
Module End: F7CF2000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F778E000
Module End: F779F000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F77EE000
Module End: F77F8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: F7C02000
Module End: F7C05000
Hidden: No
Module Name: \WINDOWS\System32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: F7C06000
Module End: F7C0A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7DB6000
Module End: F7DB7000
Hidden: No
Module Name: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F7A6E000
Module End: F7A75000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: F7CF2000
Module End: F7CF4000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F77FE000
Module End: F7809000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F776F000
Module End: F778E000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F7749000
Module End: F776F000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F7A76000
Module End: F7A7B000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F780E000
Module End: F781B000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F7731000
Module End: F7749000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F781E000
Module End: F7827000
Hidden: No
Module Name: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F782E000
Module End: F783B000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F7711000
Module End: F7731000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F76FF000
Module End: F7711000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F7A7E000
Module End: F7A83000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F76E8000
Module End: F76FF000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\WudfPf.sys
Service Name: WudfPf
Module Base: F76D5000
Module End: F76E8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F7648000
Module End: F76D5000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F761B000
Module End: F7648000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F7601000
Module End: F761B000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\avgrkx86.sys
Service Name: AvgRkx86
Module Base: F7CF6000
Module End: F7CF8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\agp440.sys
Service Name: agp440
Module Base: F783E000
Module End: F7849000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F787E000
Module End: F7887000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: F74DE000
Module End: F75B9000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F74CA000
Module End: F74DE000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F7AB6000
Module End: F7ABC000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F74A6000
Module End: F74CA000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F7ABE000
Module End: F7AC6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\tbcspud.sys
Service Name: tbcspud
Module Base: F7482000
Module End: F74A6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\tbcos.sys
Service Name: ---
Module Base: F7CFA000
Module End: F7CFC000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ks.sys
Service Name: ---
Module Base: F745F000
Module End: F7482000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USR_BSC2.sys
Service Name: HSFHWBS2
Module Base: F742C000
Module End: F745F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USR_MDM.sys
Service Name: HSF_DP
Module Base: F732D000
Module End: F742C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HSF_USR.sys
Service Name: winachsf
Module Base: F7285000
Module End: F732D000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F7ADE000
Module End: F7AE6000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\RTL8139.SYS
Service Name: rtl8139
Module Base: F7AE6000
Module End: F7AEC000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F788E000
Module End: F789E000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F7C9A000
Module End: F7C9E000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F7271000
Module End: F7285000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F789E000
Module End: F78AB000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys
Service Name: KMW_SYS
Module Base: F725A000
Module End: F7271000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\KMW_Lib.sys
Service Name: ---
Module Base: F7CFE000
Module End: F7D00000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F7B0E000
Module End: F7B14000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7ED7000
Module End: F7ED8000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F78AE000
Module End: F78BB000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F7CA6000
Module End: F7CA9000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F7243000
Module End: F725A000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F78BE000
Module End: F78C9000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F78CE000
Module End: F78DA000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F7B2E000
Module End: F7B33000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F7232000
Module End: F7243000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F78DE000
Module End: F78E7000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7B3E000
Module End: F7B43000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F7B4E000
Module End: F7B53000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F7202000
Module End: F7232000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F78EE000
Module End: F78F8000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F7B5E000
Module End: F7B64000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F7D04000
Module End: F7D06000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\update.sys
Service Name: Update
Module Base: F717C000
Module End: F71DA000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F7CCA000
Module End: F7CCE000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F78FE000
Module End: F7908000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F792E000
Module End: F793D000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F7D0A000
Module End: F7D0C000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\tbcwdm.sys
Service Name: tbcwdm
Module Base: B2E52000
Module End: B2ED8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B2E2E000
Module End: B2E52000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F793E000
Module End: F794D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\gameenum.sys
Service Name: gameenum
Module Base: F75D1000
Module End: F75D4000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Service Name: Flpydisk
Module Base: F7B8E000
Module End: F7B93000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7F17000
Module End: F7F18000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F7D14000
Module End: F7D16000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F7BAE000
Module End: F7BB5000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F7BB6000
Module End: F7BBC000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F7D18000
Module End: F7D1A000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F7D1C000
Module End: F7D1E000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F7BD6000
Module End: F7BDE000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F7C8E000
Module End: F7C91000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: B2D5B000
Module End: B2D6E000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: B2D02000
Module End: B2D5B000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\avgtdix.sys
Service Name: AvgTdiX
Module Base: B2CC1000
Module End: B2CDA000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: B2C9B000
Module End: B2CC1000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F798E000
Module End: F7997000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: B2C73000
Module End: B2C9B000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Service Name: WS2IFSL
Module Base: F71FA000
Module End: F71FD000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: B2C51000
Module End: B2C73000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F799E000
Module End: F79A7000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: B2C26000
Module End: B2C51000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: B2BB6000
Module End: B2C26000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F79DE000
Module End: F79E9000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Service Name: AvgMfx86
Module Base: F7A8E000
Module End: F7A94000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys
Service Name: AvgLdx86
Module Base: B2B65000
Module End: B2BB6000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: F7AC6000
Module End: F7ACE000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Service Name: usbprint
Module Base: F7AD6000
Module End: F7ADD000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: F71E2000
Module End: F71E5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F79FE000
Module End: F7A07000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: F71DA000
Module End: F71DE000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys
Service Name: KMW_KBD
Module Base: F7D26000
Module End: F7D28000
Hidden: No
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B2B4D000
Module End: B2B65000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7D2A000
Module End: F7D2C000
Hidden: Yes
Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: F75D5000
Module End: F75D8000
Hidden: No
Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F7B1E000
Module End: F7B23000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7EC1000
Module End: F7EC2000
Hidden: No
Module Name: \systemroot\win32k.sys:1
Service Name: ---
Module Base: F7B76000
Module End: F7B7B000
Hidden: Yes
Module Name: \systemroot\win32k.sys:2
Service Name: ---
Module Base: B2D8E000
Module End: B2D9D000
Hidden: Yes
Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: B23B8000
Module End: B23CD000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: B27ED000
Module End: B27FC000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: B21AE000
Module End: B21D2000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: B2181000
Module End: B21AE000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: B206D000
Module End: B2070000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\srv.sys
Service Name: Srv
Module Base: B1EAF000
Module End: B1F01000
Hidden: No
Module Name: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Service Name: ---
Module Base: F7D12000
Module End: F7D14000
Hidden: Yes
Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: B196E000
Module End: B19AF000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: B1300000
Module End: B132B000
Hidden: No
Module Name: \??\C:\WINDOWS\system32\drivers\rootrepeal.sys
Service Name: rootrepeal
Module Base: B1AEF000
Module End: B1AFB000
Hidden: Yes
Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F7CF4000
Module End: F7CF6000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: F7AF6000
Module End: F7AFD000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F7D50000
Module End: F7D52000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F7BC6000
Module End: F7BCB000
Hidden: No
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwUnloadKey
Address: F7D1263C
Driver Base: F7D12000
Driver End: F7D14000
Driver Name: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: PsGetProcessWin32WindowStation
At Address: 804F41EC
Jump To: FD806070
Module Name: _unknown_
Hooked Function: PsGetProcessJob
At Address: 804F41EC
Jump To: FD806070
Module Name: _unknown_
******************************************************************************************
******************************************************************************************
No hidden files/folders found
Step # 1: Download and Run ComboFix
Download ComboFix from any of the links below. You must rename it to jskyer.exe before saving it. Save it to your Desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
--------------------------------------------------------------------
Double click on jskyer.exe & follow the prompts.
When finished, it will produce a report for you.
Please include the C:\ComboFix.txt in your next reply so we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Here are the results from ComboFix:
==========================
ComboFix 09-09-23.02 - Geoff 09/24/2009 13:14.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.487 [GMT -7:00]
Running from: c:\documents and settings\Geoff\Desktop\SaferNetworking\JakeBird.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Installer\66b49.msp
c:\windows\Installer\66b5e.msp
c:\windows\Installer\66bc3.msp
c:\windows\Installer\66bd2.msp
c:\windows\Installer\ef22c.msi
c:\windows\run.log
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-08-24 to 2009-09-24 )))))))))))))))))))))))))))))))
.
2009-09-21 03:57 . 2009-09-24 03:01 -------- d-----w- c:\program files\oldspybot~2
2009-09-20 04:02 . 2009-09-20 04:02 -------- d-----w- c:\program files\Trend Micro
2009-09-20 03:58 . 2009-09-20 03:58 -------- d-----w- c:\program files\ERUNT
2009-09-20 01:46 . 2009-09-21 03:55 -------- d-----w- c:\program files\OLD-2Spybot - Search & Destroy
2009-09-18 07:45 . 2009-09-18 07:45 -------- d-----w- c:\program files\STOPzilla!
2009-09-18 07:37 . 2009-09-18 07:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-18 07:36 . 2009-09-18 07:36 -------- d-----w- c:\program files\Common Files\iS3
2009-09-18 07:36 . 2009-09-18 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-18 06:46 . 2009-09-24 19:25 0 ----a-r- c:\windows\win32k.sys
2009-09-05 03:56 . 2009-09-05 03:56 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-04 06:56 . 2009-09-04 07:29 -------- d-----w- c:\program files\SpyZooka
2009-08-27 03:22 . 2009-08-27 03:22 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-24 20:21 . 2005-04-10 03:19 7304 ----a-w- c:\windows\TMP0001.TMP
2009-09-24 19:28 . 2009-06-24 20:31 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-09-24 04:40 . 2008-06-16 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-24 03:00 . 2005-04-24 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-20 01:45 . 2005-04-24 00:48 -------- d-----w- c:\program files\old_spybot~1
2009-09-18 06:47 . 2008-05-23 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-30 20:20 . 2008-12-25 20:37 -------- d-----w- c:\program files\Freecorder
2009-08-16 03:56 . 2009-08-16 03:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-16 03:56 . 2007-02-25 01:40 -------- d-----w- c:\program files\Java
2009-08-04 22:19 . 2005-04-11 00:33 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-02 23:12 . 2009-06-24 20:17 -------- d-----w- c:\program files\Microsoft SQL Server
2009-08-02 01:21 . 2009-08-02 01:21 -------- d-----w- c:\program files\QuickTime
2009-08-02 01:21 . 2005-05-05 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-02 01:20 . 2009-08-02 01:20 -------- d-----w- c:\program files\Apple Software Update
2009-08-02 01:20 . 2009-08-02 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-29 02:23 . 2008-05-23 00:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-29 02:23 . 2008-05-23 00:52 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-29 02:23 . 2006-11-23 22:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-20 21:57 . 2009-07-20 21:57 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-07-20 21:56 . 2009-07-20 21:56 311296 ----a-r- c:\windows\system32\SZBase5.dll
2009-07-20 21:56 . 2009-07-20 21:56 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-07-09 22:52 . 2009-07-09 22:52 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-07-09 22:52 . 2009-07-09 22:52 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-07-09 22:51 . 2009-07-09 22:51 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-07-09 22:51 . 2009-07-09 22:51 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-07-09 22:51 . 2009-07-09 22:51 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-07-09 22:50 . 2009-07-09 22:50 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-07-09 22:50 . 2009-07-09 22:50 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-07-09 22:50 . 2009-07-09 22:50 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-07-09 22:47 . 2009-07-09 22:47 724992 ----a-r- c:\windows\system32\IS3Base5.dll
2009-07-03 17:09 . 2002-08-29 10:41 915456 ----a-w- c:\windows\system32\wininet.dll
2008-12-25 20:35 . 2008-12-25 20:35 2788800 ------w- c:\program files\FLV PlayerFCSetup.exe
2005-09-16 02:26 . 2005-06-25 06:01 44153 ------w- c:\program files\mozilla firefox\components\inspector.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 20:38 1004800 ------w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-16 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-17 2022680]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2008-08-01 28672]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2008-08-01 393216]
"ACTSchedulerUI"="c:\program files\ACT\Act for Windows\Act.Scheduler.UI.exe" [2008-08-01 499712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-16 149280]
"TraySantaCruz"="c:\windows\system32\tbctray.exe" [2002-04-17 290816]
"kmw_run.exe"="kmw_run.exe" - c:\windows\system32\kmw_run.exe [2006-08-03 106496]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-10-15 221295]
Windows Search.lnk.disabled [2009-3-1 1798]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-29 02:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe"
"MSWheel"=
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\Act8.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\Act11.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [5/22/2008 5:52 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/22/2008 5:52 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/22/2008 5:52 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/8/2009 10:26 AM 297752]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 3:38 AM 92008]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [4/9/2005 5:30 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [4/9/2005 5:30 PM 545088]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Geoff\Desktop\SaferNetworking\SysProt\SysProt\SysProt\SysProtDrv.sys [9/23/2009 8:37 PM 44288]
S4 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [7/31/2008 9:02 PM 81920]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-25 02:43]
2009-09-24 c:\windows\Tasks\User_Feed_Synchronization-{0E74C5E3-16AD-40A6-86AA-AE2E70CED442}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Geoff\Application Data\Mozilla\Firefox\Profiles\wrnsupub.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Geoff\Application Data\Mozilla\Firefox\Profiles\wrnsupub.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08 .
- - - - ORPHANS REMOVED - - - -
BHO-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\Freecorder\tbFre0.dll__BHODemonDisabled
Toolbar-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\Freecorder\tbFre0.dll__BHODemonDisabled
WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - c:\program files\Freecorder\tbFre0.dll__BHODemonDisabled
AddRemove-AudibleManager - c:\program files\Audible\Bin\Upgrade.exe
AddRemove-BitTorrent DNA - c:\program files\DNA\btdna.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-24 13:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2052111302-706699826-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9F697F2E-8BCA-DBDF-35BF-AC7D3CC7CA18}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"dacofhgn"=hex:62,61,61,6c,00,06
"fapnalbjfplb"=hex:63,61,62,6c,6b,66,00,00
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(528)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(584)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
- - - - - - - > 'explorer.exe'(2872)
c:\windows\system32\WININET.dll
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\kmw_show.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\windows\system32\CTSVCCDA.EXE
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-24 13:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-24 20:26
Pre-Run: 86,949,539,840 bytes free
Post-Run: 87,266,082,816 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
281
Go ahead and delete DDS and redownload it and see if you can get it to run and get its two logs:
Step # 1 Download and run DDS
Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Step # 2 Run Win32kDiag
Make sure that Win32kDiag.exe is located on your Desktop.
Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r
Step # 3: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
Folder::
c:\program files\DNA
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"=-
RegNull::
[HKEY_USERS\S-1-5-21-2052111302-706699826-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9F697F2E-8BCA-DBDF-35BF-AC7D3CC7CA18}*]
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on jskyer's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. The two DDS Logs, if availble (DDS and Attach.txt)
2. The Win32kDiag Log
3. The ComboFix Log that appears after Step 3 has been completed.
Everthing ran OK this time. Makes me think fantastic things are being accomplished. Yay!
Here are the files you requested:
::: DDS.txt :::
DDS (Ver_09-07-30.01) - NTFSx86
Run by Geoff at 23:10:30.70 on Thu 09/24/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.460 [GMT -7:00]
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Geoff\Desktop\SaferNetworking\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [kmw_run.exe] kmw_run.exe
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [ACTSchedulerUI] "c:\program files\act\act for windows\Act.Scheduler.UI.exe" -Dfalse
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TraySantaCruz] c:\windows\system32\tbctray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Windows Search.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235942706406
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\geoff\applic~1\mozilla\firefox\profiles\wrnsupub.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\geoff\application data\mozilla\firefox\profiles\wrnsupub.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08
============= SERVICES / DRIVERS ===============
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-5-22 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-22 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-23 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-22 108552]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 297752]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2005-4-9 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2005-4-9 545088]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\geoff\desktop\safernetworking\sysprot\sysprot\sysprot\SysProtDrv.sys [2009-9-23 44288]
S4 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2008-7-31 81920]
=============== Created Last 30 ================
2009-09-24 13:12 <DIR> a-dshr-- C:\cmdcons
2009-09-24 13:11 229,888 a------- c:\windows\PEV.exe
2009-09-24 13:11 161,792 a------- c:\windows\SWREG.exe
2009-09-24 13:11 98,816 a------- c:\windows\sed.exe
2009-09-20 20:57 <DIR> --d----- c:\program files\oldspybot~2
2009-09-19 21:02 <DIR> --d----- c:\program files\Trend Micro
2009-09-19 18:46 <DIR> --d----- c:\program files\OLD-2Spybot - Search & Destroy
2009-09-18 00:45 <DIR> --d----- c:\program files\STOPzilla!
2009-09-18 00:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-09-18 00:36 <DIR> --d----- c:\program files\common files\iS3
2009-09-18 00:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-09-17 23:46 0 a----r-- c:\windows\win32k.sys
2009-09-04 20:56 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-09-03 23:56 <DIR> --d----- c:\program files\SpyZooka
==================== Find3M ====================
2009-09-24 22:06 952 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-09-24 19:41 7,304 a------- c:\windows\TMP0001.TMP
2009-08-15 20:56 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-28 19:23 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-28 19:23 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-20 14:57 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-07-20 14:56 311,296 a----r-- c:\windows\system32\SZBase5.dll
2009-07-20 14:56 540,672 a----r-- c:\windows\system32\SZComp5.dll
2009-07-09 15:52 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2009-07-09 15:52 393,216 a----r-- c:\windows\system32\IS3DBA5.dll
2009-07-09 15:51 385,024 a----r-- c:\windows\system32\IS3UI5.dll
2009-07-09 15:51 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2009-07-09 15:51 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2009-07-09 15:50 225,280 a----r-- c:\windows\system32\IS3Win325.dll
2009-07-09 15:50 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2009-07-09 15:50 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2009-07-09 15:47 724,992 a----r-- c:\windows\system32\IS3Base5.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-24 13:31 88 ---shr-- c:\docume~1\alluse~1\applic~1\E18EE82E7A.sys
2008-12-25 13:35 2,788,800 -------- c:\program files\FLV PlayerFCSetup.exe
2008-06-02 14:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060220080603\index.dat
============= FINISH: 23:11:11.29 ===============
::: Attach.txt :::
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-07-30.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/9/2005 4:36:05 PM
System Uptime: 9/24/2009 7:41:14 PM (4 hours ago)
Motherboard: | | 848P-ICH5
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Socket 478 | 3192/200mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 128 GiB total, 81.284 GiB free.
D: is FIXED (NTFS) - 37 GiB total, 3.84 GiB free.
==== Disabled Device Manager Items =============
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_18751019&REV_02\3&13C0B0C5&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_18751019&REV_02\3&13C0B0C5&0&FD
Service:
==== System Restore Points ===================
RP3: 9/24/2009 1:19:47 PM - System Checkpoint
RP4: 9/24/2009 8:16:25 PM - System Checkpoint
==== Installed Programs ======================
2007 Microsoft Office Suite Service Pack 2 (SP2)
Acoustica Effects Pack
ACT!
ACT! by Sage 2009 (11.0)
Ad-Aware
Adobe Acrobat 4.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 6.0
Adobe Product/Adobe Studio Update 10/2001
Adobe Reader 7.0
Adobe SVG Viewer 3.0
Amazon MP3 Downloader 1.0.0+6
APC PowerChute Personal Edition
Apple Software Update
Applet_App
Applet_Copy
Applet_Creativity
Applet_Email
Applet_Epp
Applet_File
Applet_OCR
Applet_Web
Applian FLV Player
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATT-AACE
Audacity 1.2.6
Audacity 1.3.7 (Unicode)
AutoUpdate
AVG 8.5
BadCopy Pro
CompanionLink
Copy Utility
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative ZEN Vision M Series
Critical Update for Windows Media Player 11 (KB959772)
DBF Viewer 2000
DiscWizard for Windows
DivX
DivX Web Player
EPSON Print CD
EPSON Printer Software
EPSON Smart Panel
EPSON SP R200 Reference Guide
EPSON TWAIN 5
ERUNT 1.1j
ffdshow (remove only)
FileZilla (remove only)
FileZilla Client 3.2.3.1
Freecorder Toolbar
Freecorder Toolbar 3.02 Application
Google Earth
Google Toolbar for Internet Explorer
Google Updater
Google Video Player
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Icon Edit 2.1.9
J2SE Runtime Environment 5.0 Update 11
JagoClient Version 5.0
Java(TM) 6 Update 15
Kensington MouseWorks
Macromedia Flash MX 2004
Macromedia Shockwave Player
Mapopolis
Microsearch Color Picker
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 5.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Outlook Personal Folders Backup
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (ACT7)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Windows XP Video Decoder Checkup Utility
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
Musicnotes Player V1.23.1 and Viewer
NTI CD-Maker 2000
PC Inspector smart recovery
PF1250-1650 Guide
Pocket GNU Go
QuickTime
Real Alternative 1.51
RecordPad Sound Recorder Uninstall
ScanToWeb
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Spin It Again
STOPzilla
Switch Uninstall
TomTom HOME 2.6.2.1586
TomTom HOME Visual Studio Merge Modules
Turtle Beach Santa Cruz Driver
U.S. Robotics V.92 PCI Faxmodem
UltraEdit-32
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
User Profile Hive Cleanup Service
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WavePad Uninstall
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Mobile Daylight Saving Time 2007 Updates
Windows Search 4.0
Windows XP Service Pack 3
Yahoo! Install Manager
ZENcast Organizer
==== Event Viewer Messages From Past Week ========
9/24/2009 1:19:48 PM, error: PlugPlayManager [11] - The device Root\LEGACY_ROOTREPEAL\0000 disappeared from the system without first being prepared for removal.
9/24/2009 1:19:46 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file 'KB912812' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
9/24/2009 1:14:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
9/24/2009 1:11:34 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 1:10:55 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
9/20/2009 9:05:33 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
9/20/2009 8:57:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/20/2009 8:53:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
9/20/2009 8:52:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
9/20/2009 8:51:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/19/2009 6:54:56 PM, error: Service Control Manager [7000] - The STOPzilla Service service failed to start due to the following error: Access is denied.
9/19/2009 6:46:42 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
9/19/2009 6:35:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
9/19/2009 6:35:32 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
9/19/2009 6:35:32 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/19/2009 6:35:32 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/19/2009 6:35:32 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
9/18/2009 12:37:34 AM, error: Service Control Manager [7034] - The STOPzilla Service service terminated unexpectedly. It has done this 1 time(s).
9/17/2009 11:47:37 PM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
==== End Of File ===========================
::: Win32KDiag.txt :::
Running from: C:\Documents and Settings\Geoff\desktop\win32kdiag.exe
Log file at : C:\Documents and Settings\Geoff\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe
Attempting to restore permissions of : C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe
Cannot access: C:\WINDOWS\system32\ntbackup.exe
Attempting to restore permissions of : C:\WINDOWS\system32\ntbackup.exe
Finished!
::: ComboFix log :::
ComboFix 09-09-23.02 - Geoff 09/24/2009 23:21.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.440 [GMT -7:00]
Running from: c:\documents and settings\Geoff\Desktop\SaferNetworking\JakeBird.exe
Command switches used :: c:\documents and settings\Geoff\Desktop\SaferNetworking\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\DNA
c:\program files\DNA\DNAcpl.cpl
c:\program files\DNA\plugins\npbtdna.dll
.
((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 )))))))))))))))))))))))))))))))
.
2009-09-21 03:57 . 2009-09-24 03:01 -------- d-----w- c:\program files\oldspybot~2
2009-09-20 04:02 . 2009-09-20 04:02 -------- d-----w- c:\program files\Trend Micro
2009-09-20 03:58 . 2009-09-20 03:58 -------- d-----w- c:\program files\ERUNT
2009-09-20 01:46 . 2009-09-21 03:55 -------- d-----w- c:\program files\OLD-2Spybot - Search & Destroy
2009-09-18 07:45 . 2009-09-18 07:45 -------- d-----w- c:\program files\STOPzilla!
2009-09-18 07:37 . 2009-09-18 07:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-18 07:36 . 2009-09-18 07:36 -------- d-----w- c:\program files\Common Files\iS3
2009-09-18 07:36 . 2009-09-18 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-18 06:46 . 2009-09-24 19:25 0 ----a-r- c:\windows\win32k.sys
2009-09-05 03:56 . 2009-09-05 03:56 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-04 06:56 . 2009-09-04 07:29 -------- d-----w- c:\program files\SpyZooka
2009-08-27 03:22 . 2009-08-27 03:22 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-25 06:27 . 2005-04-10 03:19 7304 ----a-w- c:\windows\TMP0001.TMP
2009-09-25 05:41 . 2008-06-16 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-25 05:06 . 2009-06-24 20:31 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-09-24 03:00 . 2005-04-24 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-20 01:45 . 2005-04-24 00:48 -------- d-----w- c:\program files\old_spybot~1
2009-09-18 06:47 . 2008-05-23 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-30 20:20 . 2008-12-25 20:37 -------- d-----w- c:\program files\Freecorder
2009-08-16 03:56 . 2009-08-16 03:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-16 03:56 . 2007-02-25 01:40 -------- d-----w- c:\program files\Java
2009-08-04 22:19 . 2005-04-11 00:33 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-02 23:12 . 2009-06-24 20:17 -------- d-----w- c:\program files\Microsoft SQL Server
2009-08-02 01:21 . 2009-08-02 01:21 -------- d-----w- c:\program files\QuickTime
2009-08-02 01:21 . 2005-05-05 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-02 01:20 . 2009-08-02 01:20 -------- d-----w- c:\program files\Apple Software Update
2009-08-02 01:20 . 2009-08-02 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-29 02:23 . 2008-05-23 00:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-29 02:23 . 2008-05-23 00:52 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-29 02:23 . 2006-11-23 22:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-20 21:57 . 2009-07-20 21:57 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-07-20 21:56 . 2009-07-20 21:56 311296 ----a-r- c:\windows\system32\SZBase5.dll
2009-07-20 21:56 . 2009-07-20 21:56 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-07-09 22:52 . 2009-07-09 22:52 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-07-09 22:52 . 2009-07-09 22:52 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-07-09 22:51 . 2009-07-09 22:51 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-07-09 22:51 . 2009-07-09 22:51 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-07-09 22:51 . 2009-07-09 22:51 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-07-09 22:50 . 2009-07-09 22:50 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-07-09 22:50 . 2009-07-09 22:50 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-07-09 22:50 . 2009-07-09 22:50 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-07-09 22:47 . 2009-07-09 22:47 724992 ----a-r- c:\windows\system32\IS3Base5.dll
2009-07-03 17:09 . 2002-08-29 10:41 915456 ------w- c:\windows\system32\wininet.dll
2008-12-25 20:35 . 2008-12-25 20:35 2788800 ------w- c:\program files\FLV PlayerFCSetup.exe
2005-09-16 02:26 . 2005-06-25 06:01 44153 ------w- c:\program files\mozilla firefox\components\inspector.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-09-24_20.22.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-25 06:29 . 2009-09-25 06:29 16384 c:\windows\temp\Perflib_Perfdata_634.dat
+ 2009-09-25 06:29 . 2009-09-25 06:29 16384 c:\windows\temp\Perflib_Perfdata_3cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 20:38 1004800 ------w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-16 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-17 2022680]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2008-08-01 28672]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2008-08-01 393216]
"ACTSchedulerUI"="c:\program files\ACT\Act for Windows\Act.Scheduler.UI.exe" [2008-08-01 499712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-16 149280]
"TraySantaCruz"="c:\windows\system32\tbctray.exe" [2002-04-17 290816]
"kmw_run.exe"="kmw_run.exe" - c:\windows\system32\kmw_run.exe [2006-08-03 106496]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-10-15 221295]
Windows Search.lnk.disabled [2009-3-1 1798]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-29 02:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe"
"MSWheel"=
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\Act8.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\Act11.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [5/22/2008 5:52 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/22/2008 5:52 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/22/2008 5:52 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/8/2009 10:26 AM 297752]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 3:38 AM 92008]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [4/9/2005 5:30 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [4/9/2005 5:30 PM 545088]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Geoff\Desktop\SaferNetworking\SysProt\SysProt\SysProt\SysProtDrv.sys [9/23/2009 8:37 PM 44288]
S4 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [7/31/2008 9:02 PM 81920]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-25 02:43]
2009-09-25 c:\windows\Tasks\User_Feed_Synchronization-{0E74C5E3-16AD-40A6-86AA-AE2E70CED442}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Geoff\Application Data\Mozilla\Firefox\Profiles\wrnsupub.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Geoff\Application Data\Mozilla\Firefox\Profiles\wrnsupub.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08 .
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-24 23:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(532)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(588)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
- - - - - - - > 'explorer.exe'(3272)
c:\windows\system32\WININET.dll
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-25 23:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-25 06:34
ComboFix2.txt 2009-09-24 20:27
Pre-Run: 87,258,251,264 bytes free
Post-Run: 87,214,821,376 bytes free
257
Step # 1 Update Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u16 (http://www.java.com/en/download/manual.jsp).
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 15
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
From your desktop double-click on the download to install the newest version.
Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Step # 3 Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Post the MalwareBytes' Log in your next post/reply.
Everything ran as described. Below is the log from Malwarebytes' Anti-Malware.
Two questions:
1) Right after we started this explore and repair endeavor I started receiving the following Windows message every time the machine boots up. After completing Step #3 in this recent set, when I rebooted the machine this message still comes up:
"Windows cannot open this file
Windows search.lnk.disabled"
There is the request to search for the program to open this file and I have simply been clicking on Cancel.
What is it, and what should I do.
2) Everytime I start Outlook 2007, the first time I click on Send/Receive, the Send/Receive dialog box opens up for about a second then Outlook closes entirely. Starting it up a second time and this does not happen. This is still happening after completing the recent set of instructions.
Here is the log from Malwarebytes ---
Malwarebytes' Anti-Malware 1.41
Database version: 2861
Windows 5.1.2600 Service Pack 3
9/25/2009 10:29:35 PM
mbam-log-2009-09-25 (22-29-35).txt
Scan type: Quick Scan
Objects scanned: 106167
Time elapsed: 3 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
1) Right after we started this explore and repair endeavor I started receiving the following Windows message every time the machine boots up. After completing Step #3 in this recent set, when I rebooted the machine this message still comes up:
"Windows cannot open this file
Windows search.lnk.disabled"
There is the request to search for the program to open this file and I have simply been clicking on Cancel.
What is it, and what should I do.
.lnk files are shortcuts to files and folders. Windows can't find this file/folder, so let's get rid of this so the message doesn't come up again. We'll do it with HJT.
Remove Hijackthis Entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O4 - Global Startup: Windows Search.lnk.disabled
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Then reboot your computer, the message should be gone when your computer boots back up.
2) Everytime I start Outlook 2007, the first time I click on Send/Receive, the Send/Receive dialog box opens up for about a second then Outlook closes entirely. Starting it up a second time and this does not happen. This is still happening after completing the recent set of instructions.
Not sure what is happening here. Looking it up on Google, doesn't give many results. Did this ever happen before? Before you came here for help? You can try going into Add/Remove Programs, selecting Outlook 2007 and seeing if you can select Repair (if its there) to see if you can fix it.
==================
I'd also like for you to do the following:
Step # 1 Update Adobe Acrobat Reader
There is a newer version of Adobe Acrobat Reader available. (See Note below)
First, go to Add/Remove Programs and uninstall Adobe Reader 7.0.
Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts
Note: Adobe 9.1.3 is a large program and if you prefer a smaller program you can get Foxit 3.1 instead from http://www.foxitsoftware.com/pdf/rd_intro.php
If you decide to install Foxit 3.1 instead of Adobe, do the following during Foxit's Setup/Installation process:
Uncheck the following boxes:
I accept the License Terms and want to install Foxit Toolbar
Make Ask.com my default search
Create desktop, quick launch and start menu icon to eBay
Step # 2: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. Kaspersky Log
2. A fresh DDS Log
3. Besides what you posted at the beginning of your last post, how is your computer doing? Any problems?
Dinner and a movie later, here are the reports you requested. But first, I get the feeling that the computer is happier than it was. IE and Google appear to be cooperating again, and the thing may actually be running faster, but that's only a feeling. Certainly a lot less continuous hard disc activity.
I have left Ad-Aware turned off. Spybot was so wrecked I uninstalled it, as much as I could. I have left the Windows firewall turned off and I have been disabling AVG whenever I download something you ask me to and for the duration of it's running. But then I enable it again. So, this morning I booted up the machine and after it sat there for several minutes, unused, AVG popped up the following message:
Resident Shield alert
File name: C:\System Volume Information\_restore{3D2F4BBA-EAB6-4978-9EBA-5CDE82BEBE2A}\RP4\A0000774.com
Threat name: Virus found Downloader.Banload
Detected on open.
Process name: C:\WINDOWS\SYSTEM32\svchost.exe
Process ID: 888
Here are the reports you requested:
::: Kaspersky log :::
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, September 26, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, September 27, 2009 05:17:13
Records in database: 2926943
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
Scan statistics:
Objects scanned: 128276
Threats found: 8
Infected objects found: 22
Suspicious objects found: 0
Scan duration: 02:22:58
File name / Threat / Threats count
C:\Documents and Settings\All Users\Documents\outlook.pst Infected: Trojan-Downloader.Win32.FraudLoad.fpw 5
C:\Documents and Settings\All Users\Documents\Outlook2007\outlook.pst Infected: Backdoor.Win32.Bredolab.wh 1
C:\Documents and Settings\All Users\Documents\Outlook2007\outlook.pst Infected: Backdoor.Win32.Bredolab.wj 1
C:\Documents and Settings\All Users\Documents\Outlook2007\outlook.pst Infected: Backdoor.Win32.Bredolab.xd 1
C:\Documents and Settings\All Users\Documents\Outlook2007\outlook.pst Infected: Backdoor.Win32.Bredolab.wr 1
C:\Documents and Settings\All Users\Documents\Outlook2007\outlook.pst Infected: Backdoor.Win32.UltimateDefender.yw 1
C:\Documents and Settings\Geoff\Desktop\Downloads\SBC_SST_Installer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 2
C:\Documents and Settings\Geoff\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Infected: Trojan-Downloader.Win32.FraudLoad.fpw 7
C:\Documents and Settings\Geoff\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Infected: Trojan-Downloader.Win32.FraudLoad.wspk 3
Selected area has been scanned.
::: DDS.txt :::
DDS (Ver_09-07-30.01) - NTFSx86
Run by Geoff at 23:54:57.23 on Sat 09/26/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.698 [GMT -7:00]
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\kmw_run.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Geoff\Desktop\SaferNetworking\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [kmw_run.exe] kmw_run.exe
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [ACTSchedulerUI] "c:\program files\act\act for windows\Act.Scheduler.UI.exe" -Dfalse
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TraySantaCruz] c:\windows\system32\tbctray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235942706406
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\geoff\applic~1\mozilla\firefox\profiles\wrnsupub.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\geoff\application data\mozilla\firefox\profiles\wrnsupub.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08
============= SERVICES / DRIVERS ===============
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-5-22 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-22 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-23 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-22 108552]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 297752]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2005-4-9 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2005-4-9 545088]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\geoff\desktop\safernetworking\sysprot\sysprot\sysprot\SysProtDrv.sys [2009-9-23 44288]
S4 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2008-7-31 81920]
=============== Created Last 30 ================
2009-09-25 22:23 <DIR> --d----- c:\docume~1\geoff\applic~1\Malwarebytes
2009-09-25 22:23 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-25 22:23 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-25 22:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-25 22:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-25 22:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-24 13:12 <DIR> a-dshr-- C:\cmdcons
2009-09-24 13:11 229,888 a------- c:\windows\PEV.exe
2009-09-24 13:11 161,792 a------- c:\windows\SWREG.exe
2009-09-24 13:11 98,816 a------- c:\windows\sed.exe
2009-09-20 20:57 <DIR> --d----- c:\program files\oldspybot~2
2009-09-19 21:02 <DIR> --d----- c:\program files\Trend Micro
2009-09-19 18:46 <DIR> --d----- c:\program files\OLD-2Spybot - Search & Destroy
2009-09-18 00:45 <DIR> --d----- c:\program files\STOPzilla!
2009-09-18 00:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-09-18 00:36 <DIR> --d----- c:\program files\common files\iS3
2009-09-18 00:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-09-04 20:56 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-09-03 23:56 <DIR> --d----- c:\program files\SpyZooka
==================== Find3M ====================
2009-09-26 20:56 952 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-09-26 20:54 7,304 a------- c:\windows\TMP0001.TMP
2009-09-25 22:16 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-28 19:23 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-20 14:57 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-07-20 14:56 311,296 a----r-- c:\windows\system32\SZBase5.dll
2009-07-20 14:56 540,672 a----r-- c:\windows\system32\SZComp5.dll
2009-07-09 15:52 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2009-07-09 15:52 393,216 a----r-- c:\windows\system32\IS3DBA5.dll
2009-07-09 15:51 385,024 a----r-- c:\windows\system32\IS3UI5.dll
2009-07-09 15:51 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2009-07-09 15:51 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2009-07-09 15:50 225,280 a----r-- c:\windows\system32\IS3Win325.dll
2009-07-09 15:50 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2009-07-09 15:50 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2009-07-09 15:47 724,992 a----r-- c:\windows\system32\IS3Base5.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-24 13:31 88 ---shr-- c:\docume~1\alluse~1\applic~1\E18EE82E7A.sys
2008-12-25 13:35 2,788,800 -------- c:\program files\FLV PlayerFCSetup.exe
2008-06-02 14:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060220080603\index.dat
============= FINISH: 23:55:18.71 ===============
::: Attach.txt :::
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-07-30.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/9/2005 4:36:05 PM
System Uptime: 9/26/2009 8:54:32 PM (3 hours ago)
Motherboard: | | 848P-ICH5
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Socket 478 | 3192/200mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 128 GiB total, 80.753 GiB free.
D: is FIXED (NTFS) - 37 GiB total, 3.828 GiB free.
==== Disabled Device Manager Items =============
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_18751019&REV_02\3&13C0B0C5&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_18751019&REV_02\3&13C0B0C5&0&FD
Service:
==== System Restore Points ===================
RP3: 9/24/2009 1:19:47 PM - System Checkpoint
RP4: 9/24/2009 8:16:25 PM - System Checkpoint
RP5: 9/25/2009 10:09:40 PM - Removed J2SE Runtime Environment 5.0 Update 11
RP6: 9/25/2009 10:10:31 PM - Removed Java(TM) 6 Update 15
RP7: 9/25/2009 10:16:41 PM - Installed Java(TM) 6 Update 16
RP8: 9/26/2009 8:52:12 PM - Removed Adobe Reader 7.0
RP9: 9/26/2009 8:52:32 PM - Installed Adobe Reader 9.1.
==== Installed Programs ======================
2007 Microsoft Office Suite Service Pack 2 (SP2)
Acoustica Effects Pack
Acrobat.com
ACT!
ACT! by Sage 2009 (11.0)
Ad-Aware
Adobe Acrobat 4.0
Adobe AIR
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 6.0
Adobe Product/Adobe Studio Update 10/2001
Adobe Reader 9.1
Adobe SVG Viewer 3.0
Amazon MP3 Downloader 1.0.0+6
APC PowerChute Personal Edition
Apple Software Update
Applet_App
Applet_Copy
Applet_Creativity
Applet_Email
Applet_Epp
Applet_File
Applet_OCR
Applet_Web
Applian FLV Player
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATT-AACE
Audacity 1.2.6
Audacity 1.3.7 (Unicode)
AutoUpdate
AVG 8.5
BadCopy Pro
CompanionLink
Copy Utility
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative ZEN Vision M Series
Critical Update for Windows Media Player 11 (KB959772)
DBF Viewer 2000
DiscWizard for Windows
DivX
DivX Web Player
EPSON Print CD
EPSON Printer Software
EPSON Smart Panel
EPSON SP R200 Reference Guide
EPSON TWAIN 5
ERUNT 1.1j
ffdshow (remove only)
FileZilla (remove only)
FileZilla Client 3.2.3.1
Freecorder Toolbar
Freecorder Toolbar 3.02 Application
Google Earth
Google Toolbar for Internet Explorer
Google Updater
Google Video Player
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Icon Edit 2.1.9
JagoClient Version 5.0
Java(TM) 6 Update 16
Kensington MouseWorks
Macromedia Flash MX 2004
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Mapopolis
Microsearch Color Picker
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 5.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Outlook Personal Folders Backup
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (ACT7)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Windows XP Video Decoder Checkup Utility
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
Musicnotes Player V1.23.1 and Viewer
NTI CD-Maker 2000
PC Inspector smart recovery
PF1250-1650 Guide
Pocket GNU Go
QuickTime
Real Alternative 1.51
RecordPad Sound Recorder Uninstall
ScanToWeb
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Spin It Again
STOPzilla
Switch Uninstall
TomTom HOME 2.6.2.1586
TomTom HOME Visual Studio Merge Modules
Turtle Beach Santa Cruz Driver
U.S. Robotics V.92 PCI Faxmodem
UltraEdit-32
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
User Profile Hive Cleanup Service
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WavePad Uninstall
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Mobile Daylight Saving Time 2007 Updates
Windows Search 4.0
Windows XP Service Pack 3
Yahoo! Install Manager
ZENcast Organizer
==== Event Viewer Messages From Past Week ========
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The User Profile Hive Cleanup service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The SQL Server (ACT7) service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Protexis Licensing V2 service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The APC UPS Service service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
9/24/2009 11:21:24 PM, error: Service Control Manager [7031] - The SQL Server Browser service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/24/2009 11:21:24 PM, error: Service Control Manager [7031] - The AVG8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/24/2009 1:19:48 PM, error: PlugPlayManager [11] - The device Root\LEGACY_ROOTREPEAL\0000 disappeared from the system without first being prepared for removal.
9/24/2009 1:19:46 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file 'KB912812' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
9/24/2009 1:14:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
9/24/2009 1:11:34 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 1:10:55 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
9/20/2009 9:06:05 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
9/20/2009 8:57:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/20/2009 8:53:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
9/20/2009 8:52:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
9/20/2009 8:51:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/19/2009 6:54:56 PM, error: Service Control Manager [7000] - The STOPzilla Service service failed to start due to the following error: Access is denied.
9/19/2009 6:46:42 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
9/19/2009 6:35:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
9/19/2009 6:35:32 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
9/19/2009 6:35:32 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/19/2009 6:35:32 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/19/2009 6:35:32 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
==== End Of File ===========================
What AVG found is in System Restore. It is harmless where it is. I'll be having you remove your old System Restore points and setting up a new, clean one in an upcoming post.
Based on what Kaspersky found, go ahead and go into Outlook 2007 and delete all e-mails in your Junk/Spam/Bulk folder(s) and go into your Inbox and delete any e-mails you no longer need as well.
OK, I got rid of almost everything. Even managed to close a duplicate Personal Folders collection. Then I compacted the real Personal Folders.
I took a look at the Kaspersky report and tried to locate the .pst files it's talking about, and I cannot. So I did a search and found seven Outlook.pst files, all in different locations, including on my D drive where I have a very old version of outlook that hasn't been run in years. Strangely they all have date/time stamps within the last 24 hours. And again, I can't find the directory where these files are supposedly located. For example: C:\Documents and Settings\All Users\Documents\ doesnt' exist on my machine but both search and Kaspersky say that I have .pst files located there.
Thank Ghawd and Praise "Bob" for System Restore points. After sending you the above reply I tried to open ACT! 11, and it wouldn't. The SQL server was disabled. Fortunately I had a system restore point from one of yesterdays assignments and for the first time in weeks it actually worked. All the stuff in Outlook you asked me to delete had been deleted. Probably including some that several months from now I'm going to miss, but what can you do? The mysterious duplicate Personal Folders has been restored but somehow I think that is tied in to my problem with SQL and ACT! Don't ask me how but after the restore that's the only thing that's different. Anyway, I'm back on track and ready for symptom six, I mean your next reply. Thank you, seriously, for your help here.
If there are no more problems, then you are good to go. :bigthumb:
You can reenable both Ad-Aware and the Windows Firewall.
You can delete the following off of your computer:
DDS.scr
The two DDS Logs
exeHelper.com
The exeHelper Log
RootRepeal.exe
Win32kDiag.exe
The Win32kDiag Log(s)
SysProt.exe
The SysProt Log
To remove ComboFix, do the following:
Go to Start > Run - type in ComboFix /u & click OK
Empty your Recycle Bin.
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
This is a good time to clear your existing system restore points and establish a new clean restore point
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..
Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.subratam.org/index.php?showtopic=5931)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.
Good luck!
Please reply one last time so that I know you have read my post and this thread can be closed.
I'm going to need a day or so to complete everything you talk about in your last reply so please don't close this case yet.
Also, I still have a couple of issues. Outlook 2007 still occaisionally closes on first use of Send/Receive, and the SQL database associated with ACT 11 occaisionally will not load at all, generating four red warnings in the Windows event viewer under applications.
Is there one last scan we can do that will let us know that we actually caught everything?
And/or will I simply need to go in and run some of the Windows repair routines and possibly just reinstall specific programs that are behaving strangely?
I'm going to need a day or so to complete everything you talk about in your last reply so please don't close this case yet.
Ok, I'll keep the thread open until you're ready to have it closed. :)
Also, I still have a couple of issues. Outlook 2007 still occasionally closes on first use of Send/Receive, and the SQL database associated with ACT 11 occasionally will not load at all, generating four red warnings in the Windows event viewer under applications.
Is there one last scan we can do that will let us know that we actually caught everything?
And/or will I simply need to go in and run some of the Windows repair routines and possibly just reinstall specific programs that are behaving strangely?
I think the best thing to do for the Outlook '07 and ACT 11 problems is to do either the Windows repair routines or just reinstall those programs.
But, just in case something has come back/we missed something, go ahead and run DDS again (redownload it if you've already deleted DDS.scr) and run MalwareBytes' again (do another Quick scan and be sure to Update it before doing the scan).
Post the DDS and MalwareBytes' Logs in your next post and let me know if you solved your problems with Outlook and ACT.
Thanks.
What is UPHClean?
Is STOPZilla a problem? I don't know where it came from, and when I tried to uninstall it the other day it totally broke IE and also took out something that then prevented the ACT SQL server from loading, so I was relieved that the System Restore was there, again. This is the same thing that happened when I tried to remove the duplicate Personal Folders from Outlook 2007.
Apparently neither of these are creating problems that are detectable so should I just leave them, and other stuff like them, alone?
I'll report back one more time after I have completed your last set of instructions.
Here are the reports you requested.
=== DDS.txt ===
DDS (Ver_09-07-30.01) - NTFSx86
Run by Geoff at 13:47:07.71 on Tue 09/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.539 [GMT -7:00]
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\kmw_run.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Geoff\Desktop\SaferNetworking\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [kmw_run.exe] kmw_run.exe
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [ACTSchedulerUI] "c:\program files\act\act for windows\Act.Scheduler.UI.exe" -Dfalse
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [TraySantaCruz] c:\windows\system32\tbctray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235942706406
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\geoff\applic~1\mozilla\firefox\profiles\wrnsupub.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\geoff\application data\mozilla\firefox\profiles\wrnsupub.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08
============= SERVICES / DRIVERS ===============
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-5-22 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-22 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-23 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-22 108552]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 297752]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2005-4-9 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2005-4-9 545088]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2001-8-23 14336]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\geoff\desktop\safernetworking\sysprot\sysprot\sysprot\SysProtDrv.sys [2009-9-23 44288]
S4 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2008-7-31 81920]
=============== Created Last 30 ================
2009-09-28 12:05 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-09-28 12:05 <DIR> --d----- c:\program files\STOPzilla!
2009-09-28 11:54 311,296 a----r-- c:\windows\system32\SZBase5.dll
2009-09-28 11:54 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2009-09-28 11:54 724,992 a----r-- c:\windows\system32\IS3Base5.dll
2009-09-28 11:54 385,024 a----r-- c:\windows\system32\IS3UI5.dll
2009-09-28 11:54 225,280 a----r-- c:\windows\system32\IS3Win325.dll
2009-09-28 11:54 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2009-09-25 22:23 <DIR> --d----- c:\docume~1\geoff\applic~1\Malwarebytes
2009-09-25 22:23 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-25 22:23 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-25 22:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-25 22:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-25 22:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-24 13:12 <DIR> a-dshr-- C:\cmdcons
2009-09-24 13:11 229,888 a------- c:\windows\PEV.exe
2009-09-24 13:11 161,792 a------- c:\windows\SWREG.exe
2009-09-24 13:11 98,816 a------- c:\windows\sed.exe
2009-09-20 20:57 <DIR> --d----- c:\program files\oldspybot~2
2009-09-19 21:02 <DIR> --d----- c:\program files\Trend Micro
2009-09-19 18:46 <DIR> --d----- c:\program files\OLD-2Spybot - Search & Destroy
2009-09-18 00:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-09-18 00:36 <DIR> --d----- c:\program files\common files\iS3
2009-09-18 00:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-09-03 23:56 <DIR> --d----- c:\program files\SpyZooka
==================== Find3M ====================
2009-09-29 11:33 952 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-09-29 10:54 7,304 a------- c:\windows\TMP0001.TMP
2009-09-27 21:50 244,874 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-09-25 22:16 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-28 19:23 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-20 14:57 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-07-20 14:56 540,672 a----r-- c:\windows\system32\SZComp5.dll
2009-07-09 15:52 393,216 a----r-- c:\windows\system32\IS3DBA5.dll
2009-07-09 15:51 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2009-07-09 15:51 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2009-07-09 15:50 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-24 13:31 88 ---shr-- c:\docume~1\alluse~1\applic~1\E18EE82E7A.sys
2008-12-25 13:35 2,788,800 -------- c:\program files\FLV PlayerFCSetup.exe
2008-06-02 14:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060220080603\index.dat
============= FINISH: 13:47:53.32 ===============
===Attach.txt ===
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-07-30.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/9/2005 4:36:05 PM
System Uptime: 9/29/2009 10:54:04 AM (3 hours ago)
Motherboard: | | 848P-ICH5
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Socket 478 | 3192/200mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 128 GiB total, 81.056 GiB free.
D: is FIXED (NTFS) - 37 GiB total, 3.828 GiB free.
==== Disabled Device Manager Items =============
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_18751019&REV_02\3&13C0B0C5&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_18751019&REV_02\3&13C0B0C5&0&FD
Service:
==== System Restore Points ===================
RP3: 9/24/2009 1:19:47 PM - System Checkpoint
RP4: 9/24/2009 8:16:25 PM - System Checkpoint
RP5: 9/25/2009 10:09:40 PM - Removed J2SE Runtime Environment 5.0 Update 11
RP6: 9/25/2009 10:10:31 PM - Removed Java(TM) 6 Update 15
RP7: 9/25/2009 10:16:41 PM - Installed Java(TM) 6 Update 16
RP8: 9/26/2009 8:52:12 PM - Removed Adobe Reader 7.0
RP9: 9/26/2009 8:52:32 PM - Installed Adobe Reader 9.1.
RP10: 9/27/2009 9:51:35 PM - Restore Operation
RP11: 9/28/2009 11:54:54 AM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP12: 9/28/2009 12:04:43 PM - Restore Operation
RP13: 9/29/2009 9:46:37 AM - Avg8 Update
RP14: 9/29/2009 9:47:17 AM - Avg8 Update
==== Installed Programs ======================
2007 Microsoft Office Suite Service Pack 2 (SP2)
Acoustica Effects Pack
Acrobat.com
ACT!
ACT! by Sage 2009 (11.0)
Ad-Aware
Adobe Acrobat 4.0
Adobe AIR
Adobe Download Manager
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 6.0
Adobe Product/Adobe Studio Update 10/2001
Adobe SVG Viewer 3.0
Amazon MP3 Downloader 1.0.0+6
APC PowerChute Personal Edition
Apple Software Update
Applet_App
Applet_Copy
Applet_Creativity
Applet_Email
Applet_Epp
Applet_File
Applet_OCR
Applet_Web
Applian FLV Player
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATT-AACE
Audacity 1.2.6
Audacity 1.3.7 (Unicode)
AutoUpdate
AVG 8.5
BadCopy Pro
CompanionLink
Copy Utility
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative ZEN Vision M Series
Critical Update for Windows Media Player 11 (KB959772)
DBF Viewer 2000
DiscWizard for Windows
DivX
DivX Web Player
EPSON Print CD
EPSON Printer Software
EPSON Smart Panel
EPSON SP R200 Reference Guide
EPSON TWAIN 5
ERUNT 1.1j
ffdshow (remove only)
FileZilla (remove only)
FileZilla Client 3.2.3.1
Freecorder Toolbar
Freecorder Toolbar 3.02 Application
Google Earth
Google Toolbar for Internet Explorer
Google Updater
Google Video Player
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Icon Edit 2.1.9
JagoClient Version 5.0
Java(TM) 6 Update 16
Kensington MouseWorks
Macromedia Flash MX 2004
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Mapopolis
Microsearch Color Picker
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 5.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Outlook Personal Folders Backup
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (ACT7)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Windows XP Video Decoder Checkup Utility
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
Musicnotes Player V1.23.1 and Viewer
NTI CD-Maker 2000
PC Inspector smart recovery
PF1250-1650 Guide
Pocket GNU Go
QuickTime
Real Alternative 1.51
RecordPad Sound Recorder Uninstall
ScanToWeb
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Spin It Again
STOPzilla
Switch Uninstall
TomTom HOME 2.6.2.1586
TomTom HOME Visual Studio Merge Modules
Turtle Beach Santa Cruz Driver
U.S. Robotics V.92 PCI Faxmodem
UltraEdit-32
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
User Profile Hive Cleanup Service
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WavePad Uninstall
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Mobile Daylight Saving Time 2007 Updates
Windows Search 4.0
Windows XP Service Pack 3
Yahoo! Install Manager
ZENcast Organizer
==== Event Viewer Messages From Past Week ========
9/28/2009 12:07:59 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
9/28/2009 12:07:59 PM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/28/2009 12:07:58 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}
9/27/2009 9:55:18 PM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
9/27/2009 6:04:44 PM, error: Service Control Manager [7024] - The SQL Server (ACT7) service terminated with service-specific error 3417 (0xD59).
9/25/2009 10:34:53 PM, error: Service Control Manager [7000] - The STOPzilla Service service failed to start due to the following error: Access is denied.
9/24/2009 11:26:11 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The User Profile Hive Cleanup service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The SQL Server (ACT7) service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Protexis Licensing V2 service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The APC UPS Service service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
9/24/2009 11:21:24 PM, error: Service Control Manager [7031] - The SQL Server Browser service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/24/2009 11:21:24 PM, error: Service Control Manager [7031] - The AVG8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/24/2009 11:20:32 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 1:19:48 PM, error: PlugPlayManager [11] - The device Root\LEGACY_ROOTREPEAL\0000 disappeared from the system without first being prepared for removal.
9/24/2009 1:19:46 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file 'KB912812' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
9/24/2009 1:10:55 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
==== End Of File ===========================
=== mbam-log-2009-09-29(13-59-27 ===
Malwarebytes' Anti-Malware 1.41
Database version: 2873
Windows 5.1.2600 Service Pack 3
9/29/2009 1:59:27 PM
mbam-log-2009-09-29 (13-59-27).txt
Scan type: Quick Scan
Objects scanned: 113065
Time elapsed: 5 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Right after I sent the above reports I reinstalled Spybot S&D and ran it, successfully for the first time in about two weeks, and it found two entries which it labeled as TrojansC. Below is the log from this last run. I let S&D "fix" the problem. BTW, I could not accomplish this reinstall without first uninstalling the previous no-longer-working one already installed. But, I could not completely uninstall S&D either, nor could I remove the folder nor the SpybotSD.exe file. I was told that it could not be deleted because it was being used by another application. What I could do, but only via the CMD window, was rename the folder to something else. This allowed me to then reinstall as I said above.
Next I uninstalled AVG, which had stopped working about a week ago, and then deleted all its left over folders and files. I then reinstalled it and ran a full scan. It, too, found two Trojan Horse infections, which it ultimately said it removed and healed. Below the S&D report is the AVG report.
=== Spybot S&D report ===
--- Search result list ---
Win32.TDSS.reg: [SBI $36E9AD68] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uacd.sys\imagepath
Win32.TDSS.reg: [SBI $65DD3871] System Service (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uacd.sys
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-09-29 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-09-07 advcheck.dll (1.6.4.18)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-09-22 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-08-10 Includes\Dialer.sbi (*)
2009-09-22 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-09-22 Includes\HijackersC.sbi (*)
2009-09-22 Includes\Keyloggers.sbi (*)
2009-09-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-08-19 Includes\Malware.sbi (*)
2009-09-22 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-09-22 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-09-22 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-09-22 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-09-15 Includes\Trojans.sbi (*)
2009-09-22 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player: Security Update for Windows Media Player (KB952069)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB911565)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB917734)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB954154)
/ Windows Media Player 11: Critical Update for Windows Media Player 11 (KB959772)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB928090)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB929969)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB939653)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB956390)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB961260)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB969897)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB969897)
/ Windows XP / SP0: Update for Windows Internet Explorer 8 (KB971930)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB972260)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Hotfix for Windows XP (KB915800-v4)
/ Windows XP / SP4: Security Update for Windows XP (KB923561)
/ Windows XP / SP4: Security Update for Windows XP (KB938464)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Update for Windows XP (KB951072-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Update for Windows XP (KB951978)
/ Windows XP / SP4: Security Update for Windows XP (KB952004)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB954211)
/ Windows XP / SP4: Security Update for Windows XP (KB954459)
/ Windows XP / SP4: Hotfix for Windows XP (KB954550-v5)
/ Windows XP / SP4: Security Update for Windows XP (KB954600)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Update for Windows XP (KB955839)
/ Windows XP / SP4: Security Update for Windows XP (KB956391)
/ Windows XP / SP4: Security Update for Windows XP (KB956572)
/ Windows XP / SP4: Security Update for Windows XP (KB956802)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956841)
/ Windows XP / SP4: Security Update for Windows XP (KB957095)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ Windows XP / SP4: Security Update for Windows XP (KB958687)
/ Windows XP / SP4: Security Update for Windows XP (KB959426)
/ Windows XP / SP4: Security Update for Windows XP (KB960225)
/ Windows XP / SP4: Security Update for Windows XP (KB960715)
/ Windows XP / SP4: Security Update for Windows XP (KB960803)
/ Windows XP / SP4: Hotfix for Windows XP (KB961118)
/ Windows XP / SP4: Security Update for Windows XP (KB961371)
/ Windows XP / SP4: Security Update for Windows XP (KB961373)
/ Windows XP / SP4: Security Update for Windows XP (KB961501)
/ Windows XP / SP4: Update for Windows XP (KB967715)
/ Windows XP / SP4: Security Update for Windows XP (KB968537)
/ Windows XP / SP4: Security Update for Windows XP (KB969898)
/ Windows XP / SP4: Security Update for Windows XP (KB970238)
/ Windows XP / SP4: Security Update for Windows XP (KB971633)
/ Windows XP / SP4: Security Update for Windows XP (KB973346)
--- Startup entries list ---
Located: HK_LM:Run, Act! Preloader
command: "C:\Program Files\ACT\Act for Windows\ActSage.exe" -preload
file: C:\Program Files\ACT\Act for Windows\ActSage.exe
size: 393216
MD5: EE6B83A90AD49DDB035AD2F69AEE5E63
Located: HK_LM:Run, Act.Outlook.Service
command: "C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe"
file: C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
size: 28672
MD5: 883625BDF6C508C81BE6AD130E0682E4
Located: HK_LM:Run, ACTSchedulerUI
command: "C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe" -Dfalse
file: C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe
size: 499712
MD5: 7E473FE86F9D79A6BEBD8166FC9FD936
Located: HK_LM:Run, AVG8_TRAY
command: C:\PROGRA~1\AVG\AVG8\avgtray.exe
file: C:\PROGRA~1\AVG\AVG8\avgtray.exe
size: 2023704
MD5: B87AE4DF2BCF791F3BBFF77AEDD2B88E
Located: HK_LM:Run, EPSON Stylus Photo R200 Series
command: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
file: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
size: 99840
MD5: A4C1716A34262E098CB585DB78895312
Located: HK_LM:Run, kmw_run.exe
command: kmw_run.exe
file: C:\WINDOWS\system32\kmw_run.exe
size: 106496
MD5: 2436367CDD597D19E6132EBD76AF4BE3
Located: HK_LM:Run, Malwarebytes Anti-Malware (reboot)
command: "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
file: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
size: 1312080
MD5: C5FCC0B761069FABD59E41B7C3280DDF
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 413696
MD5: FABAD2BFD44661D8CC627E5485BFAFAF
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre6\bin\jusched.exe"
file: C:\Program Files\Java\jre6\bin\jusched.exe
size: 149280
MD5: 5E4C9C25D603AE46DEDCBD9674F86E21
Located: HK_LM:Run, TraySantaCruz
command: C:\WINDOWS\system32\tbctray.exe
file: C:\WINDOWS\system32\tbctray.exe
size: 290816
MD5: DB287A128B405524E45534D6EAECD066
Located: HK_LM:Run, Adobe Photo Downloader (DISABLED)
command: "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
file: C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, IntelliPoint (DISABLED)
command: "C:\Program Files\Microsoft IntelliPoint\point32.exe"
file: C:\Program Files\Microsoft IntelliPoint\point32.exe
size: 204800
MD5: D6C9858536249E31A5E9A1A4F3A08113
Located: HK_LM:Run, MSWheel (DISABLED)
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 413696
MD5: FABAD2BFD44661D8CC627E5485BFAFAF
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-2052111302-706699826-839522115-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, CTSyncU.exe
where: S-1-5-21-2052111302-706699826-839522115-1003...
command: "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
file: C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
size: 700416
MD5: C00E6005BBDBA8DAEDBF7C7A7F4522A7
Located: HK_CU:Run, H/PC Connection Agent
where: S-1-5-21-2052111302-706699826-839522115-1003...
command: "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
file: C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
size: 1289000
MD5: 5515EB5E3A8B073F66CFC697EB0D4B55
Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-2052111302-706699826-839522115-1003...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887
Located: HK_CU:Run, swg
where: S-1-5-21-2052111302-706699826-839522115-1003...
command: "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
Located: HK_CU:Run, TomTomHOME.exe
where: S-1-5-21-2052111302-706699826-839522115-1003...
command: "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
file: C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
size: 251240
MD5: 188D622EFF263BC4BEFF08DB7D7EC811
Located: Startup (common), APC UPS Status.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
file: C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
size: 221295
MD5: D792A8E66DD10C0EAD76DF613A670B7B
Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, avgrsstarter
command: avgrsstx.dll
file: avgrsstx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{1827766B-9F49-4854-8034-F6EE26FCB1EC} (SITEguard BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: SITEguard BHO
CLSID name: ZILLAbar Browser Helper Object
Path: C:\Program Files\STOPzilla!\
Long name: SZSG.dll
Short name:
Date (created): 9/28/2009 11:55:00 AM
Date (last access): 9/29/2009 2:12:52 PM
Date (last write): 8/18/2009 4:09:46 PM
Filesize: 259520
Attributes: readonly archive
MD5: C1E8D22553A85D0EA3D3CC82EEB162CC
CRC32: 4F978459
Version: 2.0.50.0
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (WormRadar.com IESiteBlocker.NavFilter)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: WormRadar.com IESiteBlocker.NavFilter
CLSID name: AVG Safe Search
Path: C:\Program Files\AVG\AVG8\
Long name: avgssie.dll
Short name:
Date (created): 1/8/2009 10:26:00 AM
Date (last access): 9/29/2009 2:12:52 PM
Date (last write): 7/28/2009 7:23:48 PM
Filesize: 1111320
Attributes: archive
MD5: 726F21F6723ECEBA37DCF325E1A5FFEC
CRC32: 170FF9EA
Version: 8.5.0.405
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 9/29/2009 2:21:26 PM
Date (last access): 9/29/2009 2:21:26 PM
Date (last write): 1/26/2009 3:31:02 PM
Filesize: 1879896
Attributes: archive
MD5: 022C2F6DCCDFA0AD73024D254E62AFAC
CRC32: 5BA24007
Version: 1.6.2.14
{A3BC75A2-1F87-4686-AA43-5347D756017C} (AVG Security Toolbar BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: AVG Security Toolbar BHO
Path: C:\Program Files\AVG\AVG8\Toolbar\
Long name: IEToolbar.dll
Short name: IETOOL~1.DLL
Date (created): 6/10/2009 8:41:42 AM
Date (last access): 9/29/2009 2:12:52 PM
Date (last write): 6/2/2009 1:38:14 PM
Filesize: 1004800
Attributes:
MD5: 604AF29F1799FC48065BFB52D47567EA
CRC32: DBFD3081
Version: 2.506.2.2
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: C:\Program Files\Google\Google Toolbar\
Long name: GoogleToolbar_32.dll
Short name: GOOGLE~2.DLL
Date (created): 8/26/2009 8:30:20 PM
Date (last access): 9/29/2009 2:12:50 PM
Date (last write): 8/26/2009 8:23:08 PM
Filesize: 256112
Attributes: archive
MD5: 783AD24A77CD964B9888F27535FCC56E
CRC32: 4A1F3697
Version: 6.2.1815.1002
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\
Long name: swg.dll
Short name:
Date (created): 8/26/2009 8:30:24 PM
Date (last access): 9/29/2009 2:12:50 PM
Date (last write): 8/26/2009 8:30:24 PM
Filesize: 761840
Attributes: archive
MD5: 32201F66E39D48070D61D002A0D729DB
CRC32: 4210C569
Version: 5.2.4204.1700
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E} (Google Dictionary Compression sdch)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Google Dictionary Compression sdch
CLSID name: Google Dictionary Compression sdch
Path: C:\Program Files\Google\Google Toolbar\Component\
Long name: fastsearch_B7C5AC242193BB3E.dll
Short name: FASTSE~1.DLL
Date (created): 8/26/2009 8:23:02 PM
Date (last access): 9/29/2009 2:12:52 PM
Date (last write): 8/26/2009 8:23:02 PM
Filesize: 458736
Attributes: archive
MD5: CB84DFAFF68CD27E840251343B9B8E99
CRC32: E25B2196
Version: 1.0.1801.150
{D5233FCD-D258-4903-89B8-FB1568E7413D} (Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile
Path:
Long name: mscoree.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 9/25/2009 10:16:48 PM
Date (last access): 9/29/2009 2:12:54 PM
Date (last write): 9/25/2009 10:16:48 PM
Filesize: 41760
Attributes: archive
MD5: 7AF9D3B7B88AF81D2F87AA846DC2EE70
CRC32: 00DFC49A
Version: 6.0.160.1
{E3215F20-3212-11D6-9F8B-00D0B743919D} (STOPzilla Browser Helper Object)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: STOPzilla Browser Helper Object
description: StopZilla
classification: Legitimate
known filename: StopzillaBHO.dll<br>SZIEBHO.dll
info link: http://www.stopzilla.com/site/
info source: TonyKlein
Path: C:\Program Files\STOPzilla!\
Long name: SZIEBHO.dll
Short name:
Date (created): 9/28/2009 11:55:00 AM
Date (last access): 9/29/2009 2:12:54 PM
Date (last write): 8/18/2009 4:09:46 PM
Filesize: 222656
Attributes: readonly archive
MD5: F7C46E23C9AFED47E786B379EEB1028D
CRC32: DCC87C76
Version: 5.0.50.93
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (JQSIEStartDetectorImpl)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: JQSIEStartDetectorImpl
CLSID name: JQSIEStartDetectorImpl Class
Path: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\
Long name: jqs_plugin.dll
Short name: JQS_PL~1.DLL
Date (created): 9/25/2009 10:16:50 PM
Date (last access): 9/29/2009 2:12:54 PM
Date (last write): 9/25/2009 10:16:50 PM
Filesize: 73728
Attributes: archive
MD5: 37EDBCC7E5E0B89E59941FF79A2F9746
CRC32: 60D1666F
Version: 6.0.160.1
--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
{02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control)
DPF name:
CLSID name: Microsoft Office Template and Media Control
Installer: C:\WINDOWS\Downloaded Program Files\ieawsdc.inf
Codebase: http://office.microsoft.com/templates/ieawsdc.cab
description:
classification: Legitimate
known filename: IEAWSDC.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\PROGRA~1\MICROS~2\Office12\
Long name: IEAWSDC.DLL
Short name:
Date (created): 10/25/2008 6:18:50 AM
Date (last access): 9/26/2009 10:29:00 PM
Date (last write): 10/25/2008 6:18:50 AM
Filesize: 172880
Attributes: archive
MD5: E6BC6BA065287D7B6C22D9231E80AF3B
CRC32: 6F420EE1
Version: 12.0.6034.0
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
Installer: C:\WINDOWS\Downloaded Program Files\QTPlugin.inf
Codebase: http://www.apple.com/qtactivex/qtplugin.cab
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 5/26/2009 5:18:52 PM
Date (last access): 9/26/2009 10:32:36 PM
Date (last write): 5/26/2009 5:18:52 PM
Filesize: 779568
Attributes: archive
MD5: 119F55DAE2859632F2DD950031CD0A3B
CRC32: 0FB7CD34
Version: 7.6.2.0
{1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer)
DPF name:
CLSID name: Musicnotes Viewer
Installer: C:\WINDOWS\Downloaded Program Files\Mnviewer.inf
Codebase: http://www.musicnotes.com/download/mnviewer.cab
description:
classification: Legitimate
known filename: mnviewer.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Musicnotes\Player\
Long name: Mnviewer.dll
Short name:
Date (created): 4/19/2008 3:06:38 PM
Date (last access): 9/26/2009 10:32:24 PM
Date (last write): 6/1/2007 2:25:24 PM
Filesize: 317016
Attributes:
MD5: 31042E7CDEA9F9EF02F559EB1B846E06
CRC32: 81DB5668
Version: 1.16.10.0
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 1/13/2006 12:06:52 PM
Date (last access): 9/26/2009 11:04:50 PM
Date (last write): 12/19/2005 5:05:56 PM
Filesize: 54976
Attributes:
MD5: 9EDA5BB8F38D6A1235D93F1A81971928
CRC32: 702383B9
Version: 10.1.0.11
{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.dll
Short name: LEGITC~1.DLL
Date (created): 7/12/2005 6:04:22 PM
Date (last access): 9/29/2009 1:55:42 PM
Date (last write): 3/10/2009 10:18:20 PM
Filesize: 1482112
Attributes: archive
MD5: CC26451A90025F6C55F64146C333DEA5
CRC32: BA16A880
Version: 1.9.40.0
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support)
DPF name:
CLSID name: Installation Support
Installer:
Codebase: C:\Program Files\Yahoo!\Common\Yinsthelper.dll
description: Yahoo! Installation helper
classification: Legitimate
known filename: %SystemRoot%\Downloaded Program Files\yinsthelper.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Yahoo!\Common\
Long name: YInstHelper.dll
Short name: YINSTH~1.DLL
Date (created): 2/6/2007 5:46:38 PM
Date (last access): 9/26/2009 10:36:08 PM
Date (last write): 2/6/2007 5:46:38 PM
Filesize: 207912
Attributes:
MD5: 4F374B4704F49E87516A105E38F886F7
CRC32: FF63FB06
Version: 2007.2.6.1
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Installer: C:\WINDOWS\Downloaded Program Files\opuc.inf
Codebase: http://office.microsoft.com/officeupdate/content/opuc3.cab
description:
classification: Legitimate
known filename: opuc.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 1/18/2005 1:07:18 AM
Date (last access): 9/29/2009 1:58:24 PM
Date (last write): 10/26/2006 2:59:36 PM
Filesize: 524288
Attributes:
MD5: 2AE14671DD3771110CD15ED12FED5BE6
CRC32: B312915B
Version: 12.0.4518.1014
{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235942706406
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 4/9/2005 5:03:20 PM
Date (last access): 9/29/2009 1:55:26 PM
Date (last write): 10/16/2008 3:12:24 PM
Filesize: 202776
Attributes: archive
MD5: 0006DE8037F5A562F96B461B3C557C3C
CRC32: 9B107DED
Version: 7.2.6001.788
{6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate)
DPF name:
CLSID name: Creative Software AutoUpdate
Installer: C:\WINDOWS\Downloaded Program Files\CTSUEng.inf
Codebase: http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
Path: C:\WINDOWS\DOWNLO~1\
Long name: CTSUEngn.ocx
Short name:
Date (created): 6/11/2008 4:45:56 PM
Date (last access): 9/29/2009 1:58:34 PM
Date (last write): 6/11/2008 4:45:56 PM
Filesize: 643792
Attributes:
MD5: 96659FBC9A8B951DDD46C3FF509AE9B1
CRC32: C145AD52
Version: 1.51.1.0
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_16
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_16.dll
Short name: NPJPI1~1.DLL
Date (created): 9/25/2009 10:16:50 PM
Date (last access): 9/26/2009 10:21:36 PM
Date (last write): 9/25/2009 10:16:50 PM
Filesize: 136992
Attributes: archive
MD5: EF5C38E082CA41D7588621F3DFA09A64
CRC32: D4B4406B
Version: 6.0.160.1
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.
{C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Installer: C:\WINDOWS\Downloaded Program Files\opuc.inf
Codebase: http://office.microsoft.com/officeupdate/content/opuc4.cab
description:
classification: Legitimate
known filename: opuc.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 1/18/2005 1:07:18 AM
Date (last access): 9/29/2009 1:58:24 PM
Date (last write): 10/26/2006 2:59:36 PM
Filesize: 524288
Attributes:
MD5: 2AE14671DD3771110CD15ED12FED5BE6
CRC32: B312915B
Version: 12.0.4518.1014
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_16
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_16.dll
Short name: NPJPI1~1.DLL
Date (created): 9/25/2009 10:16:50 PM
Date (last access): 9/29/2009 2:48:44 PM
Date (last write): 9/25/2009 10:16:50 PM
Filesize: 136992
Attributes: archive
MD5: EF5C38E082CA41D7588621F3DFA09A64
CRC32: D4B4406B
Version: 6.0.160.1
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_16
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_16.dll
Short name: NPJPI1~1.DLL
Date (created): 9/25/2009 10:16:50 PM
Date (last access): 9/29/2009 2:48:44 PM
Date (last write): 9/25/2009 10:16:50 PM
Filesize: 136992
Attributes: archive
MD5: EF5C38E082CA41D7588621F3DFA09A64
CRC32: D4B4406B
Version: 6.0.160.1
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash10c.ocx
Short name:
Date (created): 7/17/2009 8:12:12 PM
Date (last access): 9/29/2009 1:18:54 PM
Date (last write): 7/17/2009 8:12:12 PM
Filesize: 3979680
Attributes: readonly archive
MD5: 43C6ACDFB92A18C3E516E6BD5F1ACD51
CRC32: D6F40D46
Version: 10.0.32.18
{E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class)
DPF name:
CLSID name: get_atlcom Class
Installer: C:\WINDOWS\Downloaded Program Files\gp.inf
Codebase: http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: gp.ocx
{F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package)
DPF name:
CLSID name: Creative Software AutoUpdate Support Package
Installer: C:\WINDOWS\Downloaded Program Files\CTPID.inf
Codebase: http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
description:
classification: Legitimate
known filename: CTPID.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: CTPID.ocx
Short name:
Date (created): 9/4/2008 4:19:38 PM
Date (last access): 9/29/2009 1:58:34 PM
Date (last write): 9/4/2008 4:19:38 PM
Filesize: 37616
Attributes:
MD5: 034B1C07FA8C265C77EF054FB6BC6473
CRC32: 868AADBC
Version: 1.0.49.0
--- Process list ---
PID: 0 ( 0) [System]
PID: 448 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 504 ( 448) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 528 ( 448) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 572 ( 528) C:\WINDOWS\system32\services.exe
size: 110592
MD5: 65DF52F5B8B6E9BBD183505225C37315
PID: 584 ( 528) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 752 ( 572) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 800 ( 572) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 868 ( 572) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 908 ( 572) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 956 ( 572) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1032 ( 572) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1048 ( 572) C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
size: 611664
MD5: 17067069B9A7865028C1F2E6971D0CCC
PID: 1408 (1364) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 1580 (1408) C:\WINDOWS\system32\kmw_run.exe
size: 106496
MD5: 2436367CDD597D19E6132EBD76AF4BE3
PID: 1632 (1408) C:\PROGRA~1\AVG\AVG8\avgtray.exe
size: 2023704
MD5: B87AE4DF2BCF791F3BBFF77AEDD2B88E
PID: 1640 (1408) C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
size: 28672
MD5: 883625BDF6C508C81BE6AD130E0682E4
PID: 1656 (1408) C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe
size: 499712
MD5: 7E473FE86F9D79A6BEBD8166FC9FD936
PID: 1684 (1408) C:\Program Files\Java\jre6\bin\jusched.exe
size: 149280
MD5: 5E4C9C25D603AE46DEDCBD9674F86E21
PID: 1708 (1408) C:\WINDOWS\system32\tbctray.exe
size: 290816
MD5: DB287A128B405524E45534D6EAECD066
PID: 1736 (1408) C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
size: 700416
MD5: C00E6005BBDBA8DAEDBF7C7A7F4522A7
PID: 1744 (1408) C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
size: 251240
MD5: 188D622EFF263BC4BEFF08DB7D7EC811
PID: 1748 (1580) C:\WINDOWS\system32\KMW_SHOW.EXE
size: 176128
MD5: ED4856133C0519DB80ABDB43424E2854
PID: 1776 (1408) C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
size: 1289000
MD5: 5515EB5E3A8B073F66CFC697EB0D4B55
PID: 1800 (1408) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 1952 ( 752) C:\PROGRA~1\MICROS~4\rapimgr.exe
size: 199464
MD5: 7D4A768DEA3DC643CBB65222D5B1377B
PID: 244 (1856) C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
size: 413807
MD5: 7AFDA26A52E92C938CDAD981061E41F4
PID: 720 ( 572) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
PID: 1376 ( 572) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1468 ( 572) C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
size: 176241
MD5: 29DEB59DE57EA97553B1566F04B39D11
PID: 1092 ( 572) C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
size: 297752
MD5: DB338A6BD3976904EB0F8343F51E64EB
PID: 1608 ( 572) C:\WINDOWS\system32\CTsvcCDA.exe
size: 44032
MD5: 3C8B6609712F4FF78E521F6DCFC4032B
PID: 1476 (1092) C:\PROGRA~1\AVG\AVG8\avgam.exe
size: 832792
MD5: 309DE2B599871BC38C58B49B2F08EB10
PID: 1364 ( 572) C:\Program Files\Java\jre6\bin\jqs.exe
size: 153376
MD5: 09417134F248DFCEEA15C72BCC87F592
PID: 1704 (1092) C:\Program Files\AVG\AVG8\avgrsx.exe
size: 486680
MD5: 65EA6EB029BB031773473AD9A78A666D
PID: 2028 (1092) C:\PROGRA~1\AVG\AVG8\avgnsx.exe
size: 595736
MD5: A6CF4FF9BE1202800C22EC5A6A7CF4A6
PID: 1148 ( 572) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
size: 29263712
MD5: 4263DCF845B089E397C7C3BFC74F04FE
PID: 2084 ( 572) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
size: 185632
MD5: E0D0CB09AA07B22BE984E4F7EC0326F5
PID: 2136 ( 572) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
size: 239968
MD5: B2EC3E1DEAC5F0A764BD3486D213A0AF
PID: 2264 ( 572) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
size: 87904
MD5: D2F4F32B59440011174B4F8137AF4E0C
PID: 2308 ( 572) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 2336 ( 572) C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
size: 92008
MD5: 800AE7DB015952A610F7FD2185747CCE
PID: 2380 ( 572) C:\Program Files\UPHClean\uphclean.exe
size: 192573
MD5: C65BDF0E5B5413D4FD939068666E564A
PID: 2552 ( 572) C:\WINDOWS\system32\SearchIndexer.exe
size: 439808
MD5: 7778BDFA3F6F6FBA0E75B9594098F737
PID: 3040 ( 868) C:\WINDOWS\system32\wscntfy.exe
size: 13824
MD5: F92E1076C42FCD6DB3D72D8CFE9816D5
PID: 3384 ( 572) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 8C515081584A38AA007909CD02020B3D
PID: 3112 (3484) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 4008 (3476) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887
PID: 5368 (3112) C:\WINDOWS\hh.exe
size: 10752
MD5: 6BA0A833DCABF3E28622143689E2C92E
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 9/29/2009 2:48:44 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/keyword/%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{933CE23D-BA68-43B3-A92C-D366AD1926F3}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{933CE23D-BA68-43B3-A92C-D366AD1926F3}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7EB0318D-4BE5-42F3-ADF0-972542C56AA5}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7EB0318D-4BE5-42F3-ADF0-972542C56AA5}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FB48C8C7-8CBE-4F90-B517-5391A4C4DF10}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FB48C8C7-8CBE-4F90-B517-5391A4C4DF10}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7307E0B9-BEB3-49FD-AA18-395DBAC59AD6}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7307E0B9-BEB3-49FD-AA18-395DBAC59AD6}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2B1C748F-2E7D-42FB-96AF-207BF16A97D6}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2B1C748F-2E7D-42FB-96AF-207BF16A97D6}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
=== AVG report ===
"Scan ""Scan whole computer"" was finished."
"Infections";"2";"2";"0"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Tuesday, September 29, 2009, 3:20:46 PM"
"Scan finished:";"Tuesday, September 29, 2009, 5:03:57 PM (1 hour(s) 43 minute(s) 11 second(s))"
"Total object scanned:";"700333"
"User who launched the scan:";"Geoff"
"Infections"
"File";"Infection";"Result"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir";"Trojan horse Generic14.BMJO";"Moved to Virus Vault"
"C:\System Volume Information\_restore{3D2F4BBA-EAB6-4978-9EBA-5CDE82BEBE2A}\RP3\A0000634.dll";"Trojan horse Generic14.BMJO";"Moved to Virus Vault"
"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\Geoff\Application Data\Mozilla\Firefox\Profiles\wrnsupub.default\cookies.sqlite";"Found Tracking cookie.Yadro";"Healed"
"C:\Documents and Settings\Geoff\Application Data\Mozilla\Firefox\Profiles\wrnsupub.default\cookies.sqlite:\yadro.ru.c77afad5";"Found Tracking cookie.Yadro";"Moved to Virus Vault"
Nothing bad is jumping out at me from the DDS Log and the MalwareBytes' Log came up clean. :)
What is UPHClean?
UPHClean comes directly from Microsoft. "The User Profile Hive Cleanup service helps to ensure user sessions are completely terminated when a user logs off." Do you remember downloading it? If you didn't, it may have come with a Microsoft update or another Microsoft program you downloaded in the past. I would go ahead and leave it alone.
More info on UPHClean:
http://www.processlibrary.com/directory/files/uphclean/
http://www.microsoft.com/downloadS/details.aspx?FamilyID=1b286e6d-8912-4e18-b570-42470e2f3582&displaylang=en
Is STOPZilla a problem? I don't know where it came from, and when I tried to uninstall it the other day it totally broke IE and also took out something that then prevented the ACT SQL server from loading, so I was relieved that the System Restore was there, again. This is the same thing that happened when I tried to remove the duplicate Personal Folders from Outlook 2007.
Apparently neither of these are creating problems that are detectable so should I just leave them, and other stuff like them, alone?
Haven't heard of any problems with StopZilla (http://en.wikipedia.org/wiki/Stopzilla) Does anyone else use the computer besides yourself? Perhaps they downloaded/installed it without your knowledge. Since things appear to be working now (if I'm reading your last sentence correctly), I'd just leave well enough alone for now.
I'll report back one more time after I have completed your last set of instructions.
Ok sounds good. :)
===================
What Spybot found were some registry keys. Go ahead and rerun Spybot S&D (be sure to update first) and let me know if they (or anything new shows up again).
As for AVG, it found and cleaned some tracking cookies, a file in the Qoobox folder (which is where ComboFix keeps its quarantined files) and an infected System Restore point (which I mentioned earlier are harmless and my "All-Clean" instructions showed you how to remove them and set a new, clean one).
OK, I think we're good. No more errors are showing up and everything appears to be running as it should.
I am almost through the Please Read section of you last post, which I will complete this afternoon.
Question: I don't understand your request that I: "Please take the time to read <your> All Clean Post." What is that referring to?
In retrospect I thought I was already well armed and secure before this all happened. Now, with the additional tools I have acquired as a result of this exercise, I feel anger over the fact that the internet has evolved to such a hostile environment that it requires this incredibly high level of protection.
Thank you so much for all your efforts in helping me work through this ordeal. It took about as much time as it would have to rebuild the machine but it was also a lot less trouble and data repair work. I am grateful! And I hope your making some big bucks doing this. You deserve it.
For a long time I have been using mostly free versions of much of the software you recommend. I think it's time I actually started paying for them. And I'm going to begin with donations to Safer Networking and Spybot S&D.
Final set of questions:
: How do I go about deleting corrupt exe files that continue to tell me that I don't have access to them? Such as the old renamed S&D files and the old RootRepeal.exe that I still can't remove?
: You gave a list of files that it was now OK to delete, but it did not include everything that we used. Are programs such as MalwareBytes and ATF-Cleaner still of any use?
: Once you close this case will this thread continue to live on the forum? There are a lot of useful links and info here that I want to be able to reference and apply to my other computer that has so far remained unscathed, but which can also stand to have its protection beefed up.
Again, many thanks!:bigthumb:
Good to hear that things are running well. :bigthumb:
Question: I don't understand your request that I: "Please take the time to read <your> All Clean Post." What is that referring to?
Are you referring to this in Post#19 (http://forums.spybot.info/showpost.php?p=338835&postcount=19) of the thread?:
Please take the time to read my All Clean Post.
It just means that I'd like for you to make sure you take the time to read through and do everything below that line (and above that line as well) in that particular post. And it sounds like you already have/are going to. :)
You gave a list of files that it was now OK to delete, but it did not include everything that we used. Are programs such as MalwareBytes and ATF-Cleaner still of any use?
Both MalwareBytes' and ATF-Cleaner are very useful programs and definitely worth keeping on your computer. MalwareBytes' is an excellent anti-spyware/malware program that is frequently updated (often 2-3 times a day), I would run a Quick Scan with it at least every 2 weeks or so, making sure to check for Updates first.
And ATF-Cleaner is a great temp/junk file cleaner which will help keep off junk on your computer that can accumlate over time. I would run it every couple of weeks as well.
Once you close this case will this thread continue to live on the forum? There are a lot of useful links and info here that I want to be able to reference and apply to my other computer that has so far remained unscathed, but which can also stand to have its protection beefed up.
All closed threads on the Safer Networking forum go into the Archives (http://forums.spybot.info/forumdisplay.php?f=23) section of the forum. You can no longer reply to your thread once it is in the Archives, but you can easily access it for reference. :)
How do I go about deleting corrupt exe files that continue to tell me that I don't have access to them? Such as the old renamed S&D files and the old RootRepeal.exe that I still can't remove?
We'll need to use a final set of tools to help get back permissions so you can delete those files. First, we'll run a tool that'll show us what files you don't have permissions (deleting, moving, running, etc) for:
We need to scan the system with this special tool:
* Please download and save:
Junction.zip (http://download.sysinternals.com/Files/Junction.zip)
* Unzip it and place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:
cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.
Here is the result from the Junction scan:
Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com
Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.
Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
...
...
...
...
...
...
Failed to open \\?\c:\\Documents and Settings\Geoff\Desktop\RootRepeal.exe: Access is denied.
Failed to open \\?\c:\\Documents and Settings\Geoff\Desktop\Downloads\installFolder\HijackThis.exe: Access is denied.
Failed to open \\?\c:\\Documents and Settings\Geoff\Desktop\SaferNetworking\RootRepeal.exe: Access is denied.
...
.
Failed to open \\?\c:\\Documents and Settings\Geoff\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db: Access is denied.
Failed to open \\?\c:\\Documents and Settings\Geoff\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db.shadow: Access is denied.
..
...
...
...
...
...
...
...
.
Failed to open \\?\c:\\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe: Access is denied.
..
...
...
...
...
...
...
Failed to open \\?\c:\\Program Files\OLD-2Spybot - Search & Destroy\SpybotSD.exe: Access is denied.
Failed to open \\?\c:\\Program Files\oldspybot~2\SpybotSD.exe: Access is denied.
Failed to open \\?\c:\\Program Files\old_spybot~1\SpybotSD.exe: Access is denied.
...
Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied.
..
Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.
.
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
..No reparse points found.
I'd like for you to do this next:
We need to reset the permissions altered by the malware on some files.
* Download this tool and save it to your Desktop: <-- Important
Inherit.exe (http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe)
Make sure that Inherit.exe is on your Desktop
* Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:
"%userprofile%\desktop\inherit" "c:\Documents and Settings\Geoff\Desktop\RootRepeal.exe"
"%userprofile%\desktop\inherit" "c:\Documents and Settings\Geoff\Desktop\Downloads\installFolder\HijackThis.exe"
"%userprofile%\desktop\inherit" "c:\Documents and Settings\Geoff\Desktop\SaferNetworking\RootRepeal.exe"
"%userprofile%\desktop\inherit" "c:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe"
"%userprofile%\desktop\inherit" "c:\Program Files\OLD-2Spybot - Search & Destroy\SpybotSD.exe"
"%userprofile%\desktop\inherit" "c:\Program Files\oldspybot~2\SpybotSD.exe"
"%userprofile%\desktop\inherit" "c:\Program Files\old_spybot~1\SpybotSD.exe"
"%userprofile%\desktop\inherit" "c:\Program Files\Trend Micro\HijackThis\HijackThis.exe"
* If you get a security warning select Run.
* You will get a "Finish" popup. Click OK.
* Do the same for the rest of the lines until you have run all the above commands one by one.
Once you've run all the above commands, try deleting the .exe files that you couldn't delete before. Let me know if you were able to delete them or not.
SUCCESS! I think this is goodbye.
One last question: Is it possible to identify what evil bug, or combination of bugs, my computer had? If yes, what was it, or were they?
Thanks again!
SUCCESS! I think this is goodbye.
One last question: Is it possible to identify what evil bug, or combination of bugs, my computer had? If yes, what was it, or were they?
Thanks again!
Excellent. :) You can go ahead and delete Junction.zip, Junction.exe and Inherit.exe off of your computer now.
What you had is known as Max++. One of its main features is that disables/denies permissions to .exe files, especially .exe files belong to anti-malware/spyware programs.
Thanks for that info. And thanks again for your help. I just did full backup and everything appears to be back in order again. I don't have any bugs on my other machine, that I'm aware of, but I'm going to use this thread, after you move it to the archives, as a guide on what housekeeping steps I need to attend to and what to install keep it that way. I hope I never have to go through this again!
Thanks again.
You're welcome. I'm glad I was able to help you out. :)
Good luck and safe surfing!