View Full Version : Downloader Trojan System Still Slow
lovebohn
2009-11-01, 03:46
A family members system was found to have the downloader trojan. It has symantec antivirus which didn't seem to solve the problem I have run AVG and did a spybot before i found this forum. I turned off the antivirus used Erunit and will post the Hijack This text on the next post.
Dave
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:44 PM, on 10/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/GeneralMills/Coupons.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter hijack: text/html - {7e0a0874-239b-43ac-a24b-c8d0f4eb66ee} - C:\WINDOWS\system32\xwreg32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 4670 bytes
Hello and :welcome: to Safer Networking
My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
Please observe these rules while we work:
If you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.
You are operating multiple Anti Virus programs on your computer:
AVG8
Symantec AntiVirus
It is NOT safe to have more than one anti-virus installed on a system, and that doing so not only does not provide better protection, it will actually cause additional problems. Anti-virus programs patch into the system kernel. Having more than one anti-virus patching into the system kernel will not only destabilize a system, it can corrupt system files and it WILL cause crashes! You MUST remove all but one anti-virus program.
Click Start
Go to Control Panel
Go to Add/Remove Programs
Find and click Remove for the following (if present):
1 - download and run RSIT
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)
2 - Status Check
Please reply with
1.the logs from RSIT (log.txt ,info.txt)
Thanks peku006
lovebohn
2009-11-04, 04:56
Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-11-03 20:55:25
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 25 GB (65%) free of 38 GB
Total RAM: 1022 MB (63% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:38 PM, on 11/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner.JEANNE.000\My Documents\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/GeneralMills/Coupons.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Filter hijack: text/html - {7e0a0874-239b-43ac-a24b-c8d0f4eb66ee} - C:\WINDOWS\system32\xwreg32.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 4992 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2005-10-19 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2005-10-19 126976]
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe [2003-05-21 90112]
"LogMeIn GUI"=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2008-08-11 63048]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [2005-06-06 57344]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
C:\PROGRA~1\AVG\AVG8\avgtray.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2005-01-12 241664]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2005-02-16 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\MSMSGS.EXE [2008-04-13 1695232]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [1999-11-04 113664]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [2005-09-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2004-05-28 241664]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe [2004-05-28 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Image Transfer.lnk]
C:\PROGRA~1\SONYCO~1\IMAGET~1\SonyTray.exe []
C:\Documents and Settings\Owner.JEANNE.000\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-10-19 348160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2009-09-28 87352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\System32\NavLogon.dll [2003-05-21 45056]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\HP\HP Software Update\HPWUCli.exe"="C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\Program Files\Extended Systems\OneBridge Desktop Connector\DesktopConnector.exe"="C:\Program Files\Extended Systems\OneBridge Desktop Connector\DesktopConnector.exe:*:Enabled:DesktopConnector"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
shell\AutoRun\command - F:\LaunchU3.exe -a
======List of files/folders created in the last 1 months======
2009-11-03 20:55:25 ----D---- C:\rsit
2009-11-03 20:44:01 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\LogMeIn
2009-11-03 20:43:53 ----A---- C:\WINDOWS\system32\LMIRfsClientNP.dll
2009-11-03 20:43:53 ----A---- C:\WINDOWS\system32\LMIport.dll
2009-11-03 20:43:36 ----A---- C:\WINDOWS\system32\LMIinit.dll
2009-11-03 20:43:15 ----D---- C:\Program Files\LogMeIn
2009-10-31 19:35:31 ----D---- C:\WINDOWS\ERDNT
2009-10-31 19:34:53 ----D---- C:\Program Files\ERUNT
2009-10-31 19:27:48 ----D---- C:\Program Files\Trend Micro
2009-10-24 22:04:26 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2009-10-17 07:45:19 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2009-10-17 07:38:59 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2009-10-17 07:38:44 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2009-10-17 07:38:36 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2009-10-17 07:38:21 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2009-10-17 07:37:36 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2009-10-17 07:34:55 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-10-17 06:56:37 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2009-10-17 06:55:49 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$
2009-10-16 14:26:43 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-10-16 14:26:43 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-10-07 20:33:10 ----D---- C:\Documents and Settings\Owner.JEANNE.000\Application Data\Mozilla
2009-10-07 20:31:57 ----D---- C:\Program Files\Mozilla Firefox
2009-10-07 18:32:10 ----D---- C:\Documents and Settings\Owner.JEANNE.000\Application Data\AVG8
2009-10-07 15:39:26 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-10-06 22:38:44 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-10-06 22:37:27 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2009-10-06 21:47:12 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$
2009-10-06 21:45:25 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-10-06 21:43:37 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-10-06 21:42:29 ----D---- C:\WINDOWS\ie8updates
2009-10-06 21:39:41 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$
2009-10-05 22:02:46 ----HD---- C:\$AVG8.VAULT$
2009-10-05 21:03:25 ----A---- C:\WINDOWS\ntbtlog.txt
2009-10-05 20:53:48 ----D---- C:\Program Files\AVG
2009-10-05 20:53:39 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2009-10-05 20:35:58 ----D---- C:\Documents and Settings\Owner.JEANNE.000\Application Data\U3
2009-10-05 20:24:58 ----D---- C:\WINDOWS\Prefetch
2009-10-04 21:12:30 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-10-04 21:10:56 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-10-04 21:09:28 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-10-04 21:08:00 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-10-04 21:06:23 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-10-04 21:04:51 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-10-04 21:03:23 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-10-04 21:01:55 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-10-04 21:00:13 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-10-04 20:58:28 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-10-04 20:56:48 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-10-04 20:55:14 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-10-04 20:53:40 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-10-04 20:52:11 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-10-04 20:50:42 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-10-04 20:49:03 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-10-04 20:47:32 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-10-04 20:46:00 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-10-04 20:44:29 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-10-04 20:42:59 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-10-04 20:41:22 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-10-04 20:39:54 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-10-04 20:38:25 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-10-04 20:36:55 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-10-04 20:35:26 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-10-04 20:33:26 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-10-04 20:31:26 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-10-04 20:29:57 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-10-04 20:28:26 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-10-04 20:26:46 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-10-04 20:25:20 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-10-04 20:23:42 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-10-04 20:22:04 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-10-04 20:20:31 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-10-04 20:19:01 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-10-04 20:17:33 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2009-10-04 20:15:57 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-10-04 20:14:24 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-10-04 20:12:53 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-10-04 20:11:03 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-10-04 20:09:20 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-10-04 20:07:13 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-10-04 19:54:57 ----D---- C:\WINDOWS\system32\scripting
2009-10-04 19:54:53 ----D---- C:\WINDOWS\l2schemas
2009-10-04 19:54:52 ----D---- C:\Program Files\msn
2009-10-04 19:54:51 ----D---- C:\WINDOWS\system32\en
2009-10-04 19:44:56 ----D---- C:\WINDOWS\network diagnostic
2009-10-04 19:08:48 ----D---- C:\WINDOWS\WBEM
2009-10-04 19:07:04 ----HDC---- C:\WINDOWS\ie8
2009-10-04 19:07:04 ----D---- C:\WINDOWS\system32\en-US
======List of files/folders modified in the last 1 months======
2009-11-03 20:51:05 ----D---- C:\WINDOWS\Temp
2009-11-03 20:51:01 ----D---- C:\WINDOWS
2009-11-03 20:50:23 ----D---- C:\WINDOWS\SYSTEM32
2009-11-03 20:49:03 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-03 20:48:51 ----D---- C:\WINDOWS\system32\DRIVERS
2009-11-03 20:46:07 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-11-03 20:44:04 ----HD---- C:\Config.Msi
2009-11-03 20:44:03 ----SHD---- C:\WINDOWS\Installer
2009-11-03 20:43:48 ----HD---- C:\WINDOWS\INF
2009-11-03 20:43:37 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-03 20:43:15 ----RD---- C:\Program Files
2009-11-03 20:32:11 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-31 13:26:41 ----RASH---- C:\boot.ini
2009-10-31 13:26:40 ----A---- C:\WINDOWS\win.ini
2009-10-31 13:26:40 ----A---- C:\WINDOWS\system.ini
2009-10-24 22:04:29 ----RSHDC---- C:\WINDOWS\system32\DLLCACHE
2009-10-24 20:55:15 ----HD---- C:\WINDOWS\$hf_mig$
2009-10-17 07:45:30 ----A---- C:\WINDOWS\imsins.BAK
2009-10-17 07:45:22 ----D---- C:\WINDOWS\WinSxS
2009-10-08 20:07:42 ----D---- C:\Program Files\Shared
2009-10-07 20:31:24 ----D---- C:\WINDOWS\system32\Restore
2009-10-07 15:42:52 ----D---- C:\Program Files\Internet Explorer
2009-10-06 21:15:34 ----D---- C:\WINDOWS\Help
2009-10-05 21:05:56 ----SHD---- C:\RECYCLER
2009-10-05 21:03:51 ----D---- C:\Documents and Settings
2009-10-05 20:53:06 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-10-05 20:49:16 ----D---- C:\I386
2009-10-05 20:30:23 ----A---- C:\WINDOWS\OEWABLog.txt
2009-10-05 20:26:53 ----A---- C:\WINDOWS\setuplog.txt
2009-10-05 20:24:27 ----D---- C:\WINDOWS\system32\WBEM
2009-10-05 20:24:27 ----D---- C:\WINDOWS\system32\Setup
2009-10-05 20:24:27 ----D---- C:\WINDOWS\AppPatch
2009-10-05 20:24:25 ----RSD---- C:\WINDOWS\Fonts
2009-10-04 21:16:08 ----D---- C:\WINDOWS\SECURITY
2009-10-04 21:13:40 ----D---- C:\WINDOWS\system32\CatRoot
2009-10-04 21:08:03 ----D---- C:\Program Files\Outlook Express
2009-10-04 20:11:08 ----D---- C:\Program Files\Messenger
2009-10-04 19:55:27 ----D---- C:\WINDOWS\IME
2009-10-04 19:54:59 ----D---- C:\WINDOWS\system32\USMT
2009-10-04 19:54:51 ----D---- C:\WINDOWS\system32\bits
2009-10-04 19:54:50 ----D---- C:\WINDOWS\peernet
2009-10-04 19:54:50 ----D---- C:\Program Files\Movie Maker
2009-10-04 19:49:54 ----D---- C:\WINDOWS\system32\NPP
2009-10-04 19:49:52 ----D---- C:\WINDOWS\MSAGENT
2009-10-04 19:49:50 ----D---- C:\WINDOWS\SRCHASST
2009-10-04 19:49:49 ----D---- C:\Program Files\NetMeeting
2009-10-04 19:49:47 ----D---- C:\WINDOWS\system32\Com
2009-10-04 19:49:40 ----D---- C:\Program Files\Windows Media Player
2009-10-04 19:49:39 ----D---- C:\Program Files\Windows NT
2009-10-04 19:49:30 ----D---- C:\Program Files\Common Files\System
2009-10-04 19:48:46 ----D---- C:\WINDOWS\system32\OOBE
2009-10-04 19:48:43 ----D---- C:\WINDOWS\SYSTEM
2009-10-04 19:42:00 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-10-04 19:41:04 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-10-04 19:32:55 ----D---- C:\WINDOWS\EHome
2009-10-04 19:09:02 ----D---- C:\WINDOWS\system32\CONFIG
2009-10-04 19:08:28 ----D---- C:\WINDOWS\Media
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R2 Fallback;Fallback; C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys [2001-08-17 289887]
R2 Fsks;Fsks; C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys [2001-08-17 115807]
R2 K56;K56; C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys [2001-08-17 391199]
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2004-08-03 11868]
R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
R2 SoftFax;SoftFax; C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys [2001-08-17 199711]
R2 Tones;Tones; C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys [2001-08-17 50751]
R2 V124;V124; C:\WINDOWS\System32\DRIVERS\HSF_V124.sys [2001-08-17 488383]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSFDPSP2.sys [2004-08-03 1041536]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\System32\DRIVERS\HSFBS2S2.sys [2004-08-03 220032]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-10-19 807998]
R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2008-08-11 10144]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-05-28 500568]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSFCXTS2.sys [2004-08-03 685056]
S3 basic2;basic2; C:\WINDOWS\System32\DRIVERS\HSF_BSC2.sys [2001-08-17 67167]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [2004-06-21 51088]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [2004-06-21 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [2004-06-21 21744]
S3 hsf_msft;hsf_msft; C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [2001-08-17 542879]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NAVAP;NAVAP; \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys []
S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20091016.003\NAVENG.sys []
S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20091016.003\NAVEX15.sys []
S3 NuidFltr;NUID filter driver; C:\WINDOWS\system32\DRIVERS\NuidFltr.sys [2009-05-09 14736]
S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys [2002-06-21 16509]
S3 Rksample;Rksample; C:\WINDOWS\System32\DRIVERS\HSF_SAMP.sys [2001-08-17 57471]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2008-04-13 73472]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 DefWatch;DefWatch; C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe [2003-05-21 32768]
R2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2009-09-28 116032]
R2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2008-08-11 63040]
R2 Norton AntiVirus Server;Symantec AntiVirus Client; C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe [2003-05-21 610304]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\HPZipm12.exe [2004-03-18 65536]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
-----------------EOF-----------------
lovebohn
2009-11-04, 04:57
info.txt logfile of random's system information tool 1.06 2009-11-03 20:55:44
======Uninstall list======
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACH Origination Application-->MsiExec.exe /I{59C50F14-2BEE-4EA2-9409-BB04FEBB3501}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.0.5 Language Support-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe® Photoshop® Album Starter Edition 3.0-->MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Coupon Printer for Windows-->"C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
GdiplusUpgrade-->MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
HP Image Zone 4.2-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.2-->"C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
HP Software Update-->MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Update-->MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
Intel(R) Extreme Graphics Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
LiveUpdate 1.80 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
LogMeIn-->MsiExec.exe /I{34F93E31-E1A0-421C-8E86-BCF7C4193A91}
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.5.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
overland-->MsiExec.exe /I{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9L$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972260)-->"C:\WINDOWS\$NtUninstallKB972260$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Sony USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec AntiVirus Client-->MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WordPerfect Office 2002-->C:\WINDOWS\Corel\uninst32.exe
WordPerfect Office 2002-->C:\WINDOWS\Corel\Uninst32.exe
Yahoo! Mail Quick Select Tool (PhotoMail)-->C:\PROGRA~1\Yahoo!\Common\unymb.exe
======Hosts File======
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
======System event log======
Computer Name: JEANNE
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.
Record Number: 10776
Source Name: Service Control Manager
Time Written: 20090118182025.000000-360
Event Type: error
User:
Computer Name: JEANNE
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.
Record Number: 10773
Source Name: Service Control Manager
Time Written: 20090118182025.000000-360
Event Type: error
User:
Computer Name: JEANNE
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.
Record Number: 10770
Source Name: Service Control Manager
Time Written: 20090118182025.000000-360
Event Type: error
User:
Computer Name: JEANNE
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.
Record Number: 10767
Source Name: Service Control Manager
Time Written: 20090118182024.000000-360
Event Type: error
User:
Computer Name: JEANNE
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.
Record Number: 10764
Source Name: Service Control Manager
Time Written: 20090118182024.000000-360
Event Type: error
User:
=====Application event log=====
Computer Name: JEANNE
Event Code: 6
Message:
Scan could not open file C:\WINDOWS\SYSTEM32\CONFIG\SECURITY [00000003]
Record Number: 69403
Source Name: Norton AntiVirus
Time Written: 20090804043014.000000-300
Event Type: warning
User:
Computer Name: JEANNE
Event Code: 6
Message:
Scan could not open file C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG [00000003]
Record Number: 69402
Source Name: Norton AntiVirus
Time Written: 20090804043014.000000-300
Event Type: warning
User:
Computer Name: JEANNE
Event Code: 6
Message:
Scan could not open file C:\WINDOWS\SYSTEM32\CONFIG\SAM [00000003]
Record Number: 69401
Source Name: Norton AntiVirus
Time Written: 20090804043014.000000-300
Event Type: warning
User:
Computer Name: JEANNE
Event Code: 6
Message:
Scan could not open file C:\WINDOWS\SYSTEM32\CONFIG\default.LOG [00000003]
Record Number: 69400
Source Name: Norton AntiVirus
Time Written: 20090804043014.000000-300
Event Type: warning
User:
Computer Name: JEANNE
Event Code: 6
Message:
Scan could not open file C:\WINDOWS\SYSTEM32\CONFIG\default [00000003]
Record Number: 69399
Source Name: Norton AntiVirus
Time Written: 20090804043014.000000-300
Event Type: warning
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
-----------------EOF-----------------
Hi
1 - Remove bad HijackThis entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O18 - Filter hijack: text/html - {7e0a0874-239b-43ac-a24b-c8d0f4eb66ee} - C:\WINDOWS\system32\xwreg32.dll
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
2 - Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the "Perform Full Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
4 - Status Check
Please reply with
1. the Malwarebytes' Anti-Malware Log
2. a fresh HijackThis log
Thanks peku006
lovebohn
2009-11-05, 04:28
it would not delete 018. I will move forward with the other steps.
lovebohn
2009-11-05, 05:18
Malwarebytes' Anti-Malware 1.41
Database version: 3103
Windows 5.1.2600 Service Pack 3
11/4/2009 9:16:42 PM
mbam-log-2009-11-04 (21-16-42).txt
Scan type: Full Scan (C:\|)
Objects scanned: 231915
Time elapsed: 44 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\Shared\lib.sig (Adware.Deepdive) -> Quarantined and deleted successfully.
lovebohn
2009-11-05, 05:26
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:14 PM, on 11/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/GeneralMills/Coupons.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Filter hijack: text/html - {7e0a0874-239b-43ac-a24b-c8d0f4eb66ee} - C:\WINDOWS\system32\xwreg32.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 4577 bytes
Hi lovebohn
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply
Thanks peku006
lovebohn
2009-11-09, 05:20
ComboFix 09-11-08.03 - Owner 11/08/2009 19:20.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.626 [GMT -6:00]
Running from: c:\documents and settings\Owner.JEANNE.000\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\INSTALL.LOG
c:\program files\Shared
c:\recycler\S-1-5-21-3152490731-1469953393-3772677915-1006
c:\recycler\S-1-5-21-746137067-1383384898-725345543-1003
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
.
((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.
2009-11-05 02:29 . 2009-11-05 02:29 -------- d-----w- c:\documents and settings\Owner.JEANNE.000\Application Data\Malwarebytes
2009-11-05 02:28 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-05 02:28 . 2009-11-05 02:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-05 02:28 . 2009-11-05 02:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-11-05 02:28 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-04 02:55 . 2009-11-04 02:55 -------- d-----w- C:\rsit
2009-11-04 02:44 . 2009-11-04 02:44 -------- d-----w- c:\documents and settings\Owner.JEANNE.000\Local Settings\Application Data\LogMeIn
2009-11-04 02:44 . 2009-11-04 02:44 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\LogMeIn
2009-11-04 02:43 . 2009-11-04 02:43 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\ICS
2009-11-04 02:43 . 2009-09-29 01:34 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-11-04 02:43 . 2009-09-29 01:34 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-11-04 02:43 . 2008-08-11 18:41 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2009-11-04 02:43 . 2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-11-04 02:43 . 2009-11-09 00:07 -------- d-----w- c:\program files\LogMeIn
2009-11-04 02:33 . 2009-10-08 03:40 3510552 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgui.exe
2009-11-01 01:34 . 2009-11-01 01:35 -------- d-----w- c:\program files\ERUNT
2009-11-01 01:27 . 2009-11-01 01:27 -------- d-----w- c:\program files\Trend Micro
2009-10-25 02:44 . 2009-10-08 03:41 2064152 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgcorex.dll
2009-10-25 02:32 . 2009-10-25 02:32 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY.000\IETldCache
2009-10-17 13:58 . 2009-10-17 13:57 2025752 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgtray.exe
2009-10-16 20:26 . 2009-10-16 20:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-16 20:26 . 2009-10-16 20:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 02:48 . 2009-10-06 02:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-10-16 20:40 . 2009-10-06 02:35 -------- d-----w- c:\documents and settings\Owner.JEANNE.000\Application Data\U3
2009-10-08 22:21 . 2009-10-06 22:06 1142552 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgupd.exe
2009-10-08 02:33 . 2009-10-08 02:33 0 ----a-w- c:\windows\nsreg.dat
2009-10-08 00:32 . 2009-10-08 00:32 -------- d-----w- c:\documents and settings\Owner.JEANNE.000\Application Data\AVG8
2009-10-06 02:54 . 2009-10-06 22:06 1423640 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgupd.dll
2009-10-06 02:54 . 2009-10-06 22:06 582936 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgiproxy.exe
2009-10-06 02:54 . 2009-10-06 22:06 746264 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avginet.dll
2009-10-06 02:53 . 2009-10-06 02:53 -------- d-----w- c:\program files\AVG
2009-10-05 02:01 . 2005-03-22 00:15 77423 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-09-11 14:18 . 2002-09-03 16:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-09-03 16:44 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2005-02-18 21:19 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-09-03 17:05 247326 ----a-w- c:\windows\system32\strmdll.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 01:34 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Image Transfer.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Image Transfer.lnk
backup=c:\windows\pss\Image Transfer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner.JEANNE.000^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\Owner.JEANNE.000\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\SYSTEM32\DRIVERS\LMIRfsDriver.sys [11/3/2009 8:43 PM 47640]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner.JEANNE.000\Application Data\Mozilla\Firefox\Profiles\rizmjppl.default\
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 19:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(484)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-11-09 19:33
ComboFix-quarantined-files.txt 2009-11-09 01:33
Pre-Run: 25,518,088,192 bytes free
Post-Run: 25,784,819,712 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
- - End Of File - - B4A13C8D93BAB534081104583A2783F3
Hi lovebohn
RootRepeal - Rootkit Detector
Download RootRepeal from the following location and save it to your desktop.
Link 1 (http://rootrepeal.googlepages.com/RootRepeal.zip)
Link 2 (http://ad13.geekstogo.com/RootRepeal.zip)
Link 3 (http://rootrepeal.psikotick.com/RootRepeal.zip)
Unzip it to your Desktop
Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Shadow SSDT
Click the OK button
Check the box for your main system drive (Usually C:), and Click OK to start the scan
The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program
peku006
lovebohn
2009-11-11, 02:11
The rootrepeal program is causing problems. The download was slow but after i pasted the exe to the desktop if says its initalizing and after a few minutes a window pops up stating the memory is low. I tried doing this in safe mode with no luck either. The PC seems to be ok if i do a restart and don't try to open the program. Any ideas?
Hi lovebohn
Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.
Right click on gmer.zip and select Extract All....
Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
Click on the Browse button. Click on Desktop. Then click OK.
Click Next. It will start extracting.
Once done, check (tick) the Show extracted files box and click Finish.
Double click on gmer.exe to run it.
Select the Rootkit tab.
On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
Select all drives that are connected to your system to be scanned.
Click on the Scan button.
When the scan is finished, click Copy to save the scan log to the Windows clipboard.
Open Notepad or a similar text editor.
Paste the clipboard contents into the text editor.
Save the Gmer scan log and post it in your next reply.
Close Gmer.
Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
In Command Prompt, type in net stop gmer. Press Enter.
Type in exit to close Command Prompt.
Note: Do not run any programs while Gmer is running.
peku006
lovebohn
2009-11-13, 05:41
GMER 1.0.15.15220 - http://www.gmer.net
Rootkit scan 2009-11-12 21:39:45
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\OWNERJ~1.000\LOCALS~1\Temp\awtdypog.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
---- EOF - GMER 1.0.15 ----
lovebohn
2009-11-13, 05:44
when i try to do the dos command i get the message, "the specified service does not exist as an install service"
Hi lovebohn
Let´s try this......
TFC (Temp File Cleaner)
Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.
NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.
Download and Run Blacklight
Please download F-Secure Blacklight (fsbl.exe) from here (ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe)
Save into C:\ with a name of fsbl.exe
Go to Start > Run
Copy and paste the contents of the below codebox into the run box
C:\fsbl.exe /expert
Click OK
This will launch BlackLight
Select I accept the agreement
Click Next
Click Scan
Wait for the scan to finish
Click on Next>
Click Exit
It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
Use notepad to open that log
Post the contents of that log as a reply to this topic
peku006
lovebohn
2009-11-14, 04:19
do you have another ftp link for blacklight? I only goes 15% and times out.
lovebohn
2009-11-14, 05:04
11/13/09 20:29:31 [Info]: BlackLight Engine 2.2.1092 initialized
11/13/09 20:29:31 [Info]: OS: 5.1 build 2600 (Service Pack 3)
11/13/09 20:29:31 [Note]: 7019 4
11/13/09 20:29:31 [Note]: 7005 0
11/13/09 20:29:45 [Note]: 7006 0
11/13/09 20:29:45 [Note]: 7022 0
11/13/09 20:29:45 [Note]: 7011 1320
11/13/09 20:29:45 [Note]: 7035 0
11/13/09 20:29:46 [Note]: 7026 0
11/13/09 20:29:46 [Note]: 7026 0
11/13/09 20:29:46 [Note]: FSRAW library version 1.7.1024
11/13/09 21:03:32 [Note]: 7007 0
Hi lovebohn
Looking good :)
Let's make sure we got everything
Eset online scannner
You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.
How's the computer running now? Any problems?
Thanks peku006
lovebohn
2009-11-15, 21:13
ESETSmartInstaller@High as downloader log:
Can not read file from internet.ESETSmartInstaller@High as downloader log:
Can not read file from internet.Can not read file from internet.ESETSmartInstaller@High as downloader log:
Can not read file from internet.Can not read file from internet.ESETSmartInstaller@High as downloader log:
Can not read file from internet.Can not read file from internet.ESETSmartInstaller@High as downloader log:
Can not read file from internet.Can not read file from internet.ESETSmartInstaller@High as downloader log:
Can not read file from internet.Can not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not read file from internet.ESETSmartInstaller@High as downloader log:
Can not read file from internet.ESETSmartInstaller@High as downloader log:
Can not read file from internet.Can not read file from internet.ESETSmartInstaller@High as downloader log:
Can not read file from internet.Can not read file from internet.# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e3b65221346c4f46acd61c43a44da414
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-11-15 04:14:15
# local_time=2009-11-15 10:14:15 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 333943 333943 0 0
# compatibility_mode=1024 16777215 100 0 2575183 2575183 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=65751
# found=0
# cleaned=0
# scan_time=7266
Hi Sydney
it was not successful :scratch: let´s try Panda
Panda ActiveScan (http://www.pandasoftware.com/activescan/com/activescan_principal.htm)
Once you are on the Panda site
click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete click on Local Disks to start the scan
When the scan completes if anything malicious is detected click the See Report button then Save Report and save it to a convenient location.
Post the contents of the Panda scan report along with a new HijackThis Log
peku006
lovebohn
2009-11-20, 22:04
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-11-20 13:55:20
PROTECTIONS: 0
MALWARE: 13
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00145466 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@servedby.advertising[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\documents and settings\owner.jeanne.000\cookies\owner@tribalfusion[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@com[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\documents and settings\owner.jeanne.000\cookies\owner@com[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\owner.jeanne.000\cookies\owner@ad.yieldmanager[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No c:\documents and settings\owner.jeanne.000\cookies\owner@www.burstbeacon[2].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No c:\documents and settings\owner.jeanne.000\cookies\owner@server.iad.liveperson[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@ads.pointroll[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\owner.jeanne.000\cookies\owner@ads.pointroll[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@go[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No c:\documents and settings\owner.jeanne.000\cookies\owner@target[1].txt
00207712 Cookie/360i TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@ct.360i[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@atwola[1].txt
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@ehg-dig.hitbox[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@ads.addynamix[1].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\qoobox\quarantine\c\windows\coupon~1.ocx.vir
No c:\system volume information\_restore{8edfe682-f824-4e33-b41d-d13ca5d0a2b5}\rp1\a0000051.ocx
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================
lovebohn
2009-11-20, 22:04
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:02:47 PM, on 11/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 4210 bytes
Hi lovebohn
Please download Security Check (http://screen317.spywareinfoforum.org/SecurityCheck.exe) ... by screen317. Save it to your desktop.
Alternate download site: Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
Double click the SecurityCheck.exe icon to begin.
Press the Space Bar when you see the "press any key to continue..." message.
A Notepad results file will open automatically called checkup.txt
Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
Please copy/paste the entire contents of the checkup.txt file into your next reply.
How's the computer running now?
Thanks peku006
lovebohn
2009-11-24, 22:16
Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Symantec AntiVirus Client
``````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
HijackThis 2.0.2
Adobe Flash Player 10
Adobe Reader 7.0.9
Adobe Reader 7.0.5 Language Support
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
`````````End of Log```````````
Hi lovebohn
Update Adobe Reader
It looks like your version of Adobe Reader is out of date and you're vulnarable for infections.
Please download the newest version here:
http://www.adobe.com/products/acrobat/readstep2_servefile.html?option=full&order=1&type=&language=English&platform=WinXPSP2&esdcanbeused=0&esdcanhandle=0&hasjavascript=1&dlm=nos
Install it, then go to Add Remove Programs and remove any older versions that may remain.
Please reply with
a fresh HijackThis log
description of any problems you are having with your PC
Thanks peku006
lovebohn
2009-11-25, 00:08
things seem to be working fine.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:11 PM, on 11/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 4582 bytes
Hi lovebohn
Your log now appears to be clean. Congratulations! :yahoo:
To remove all of the tools we used and the files and folders they created do the following:
Delete SecurityCheck from your desktop
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.
Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep ......Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913).
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:
Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Here are some things that I think are worth having a look at if you don't already know a bout them:.
Spybot Search and Destroy
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
SpyWare Blaster
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)
MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.
Happy safe surfing! :bigthumb:
peku006
As this issue appears to be resolved, this topic is now closed
We are pleased to have been some help in getting you clean.
If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)