View Full Version : Spybot S&D starts and disappears.
I disabled TeaTimer, created a regitry backup with ERUNT but was unable to run HJT. After I click 'Do a system scan and save a log file' the scan window pops up and it looks like it's scanning but it disappears in an instant and there is no log file in the Trend Micro > HJT folder.
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
DDS (Ver_09-11-24.02) - NTFSx86
Run by John at 11:40:57.50 on Thu 11/26/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3069.1399 [GMT -5:00]
AV: a-squared Anti-Malware *On-access scanning disabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Outpost Firewall Pro *disabled* (Updated) {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
FW: Outpost Firewall Pro *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\Agnitum\OUTPOS~2\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Agnitum\Outpost Firewall Pro\op_mon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\CtHelper.exe
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\1-Click Answers\answers.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\CTXFISPI.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\1-CLIC~1\agtserv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Windows\system32\taskeng.exe
C:\Users\John\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - k:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: 1-Click Answers: {7754c418-f62e-44aa-b169-e719e718bcfd} - c:\progra~1\1-clic~1\ietool~1\ANSWER~1.DLL
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Sysinternals Desktops] c:\users\john\appdata\local\temp\Desktops.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WheresJames Startup Manager] c:\program files\wheresjames\startupmgr\StartupMgr.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Vista_upgrade] c:\users\john\local settings\application data\dellvistaupgrade\Vista_Upgrade.exe
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall pro\feedback.exe" /dump:os_startup
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~2\op_mon.exe /tray /noservice
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CtxfiReg] CTXFIREG.EXE
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\1-clic~1.lnk - c:\program files\1-click answers\answers.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {44627E97-789B-40d4-B5C2-58BD171129A1} - {A1A7E22D-1587-4230-8F16-081C68D21448} - c:\program files\agnitum\outpost firewall pro\ie_bar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/f/0/2/f02b515c-7076-4cee-bc08-fd6fea594578/VirtualEarth3D.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxp://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} - hxxp://media.labs.live.com/all/ps/_code_/Photosynth.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166907923062
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
AppInit_DLLs: c:\progra~1\agnitum\outpos~2\wl_hook.dll,avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
============= SERVICES / DRIVERS ===============
R1 afw;Agnitum Firewall Driver;c:\windows\system32\drivers\afw.sys [2007-12-9 28688]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-25 97928]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2008-10-10 673920]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~2\acs.exe [2007-12-9 1238344]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-2-6 92800]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-11-22 1153368]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2008-10-10 242704]
R3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [2008-1-15 97792]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [2009-11-19 45232]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]
S2 avg8emc;AVG Free8 E-mail Scanner;k:\progra~1\avg\avg8\avgemc.exe --> k:\progra~1\avg\avg8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;k:\progra~1\avg\avg8\avgwdsvc.exe --> k:\progra~1\avg\avg8\avgwdsvc.exe [?]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero 7\incd\nbhregincdsrv.exe --> c:\program files\nero\nero 7\incd\NBHRegInCDSrv.exe [?]
S3 ASWFilt;ASWFilt;c:\windows\system32\filt\ASWFilt.dll [2008-10-10 33408]
S3 AvgWfpX;AVG Free8 Firewall Driver x86;c:\windows\system32\drivers\avgwfpx.sys [2008-12-25 69128]
S3 Commander Service;Commander Service;c:\program files\seagull\bartender\7.74\cmdrsrv.exe --> c:\program files\seagull\bartender\7.74\CmdrSrv.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-25 21504]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-6-19 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-5-8 42752]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-1-29 23680]
=============== Created Last 30 ================
2009-11-26 16:33:51 0 --sha-w- C:\DkHyperbootSync
2009-11-24 22:38:21 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 22:37:06 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-24 22:37:02 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-22 21:26:20 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-22 20:09:11 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-22 19:24:07 0 d-----w- c:\windows\system32\Adobe
2009-11-21 17:07:56 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-11-20 00:29:48 0 d-sh--w- C:\Diskeeper
2009-11-19 23:15:34 45232 ----a-w- c:\windows\system32\drivers\DKRtWrt.sys
2009-11-19 23:15:30 0 d-----w- c:\program files\common files\Diskeeper Corporation
2009-11-19 23:15:29 0 d-----w- c:\programdata\Diskeeper Corporation
2009-11-19 23:15:26 0 d-----w- c:\program files\Windows Home Server
2009-11-11 22:29:53 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 22:29:50 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-03 22:41:29 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-10-31 13:58:32 0 d-----w- c:\program files\Windows Portable Devices
2009-10-31 13:58:03 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-31 13:46:59 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-10-31 13:45:34 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-31 13:45:34 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-31 13:45:34 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-31 13:43:29 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-31 13:43:22 8147456 ----a-w- c:\windows\system32\wmploc.DLL
==================== Find3M ====================
2009-11-24 23:23:15 32299 ----a-w- c:\windows\system32\drivers\stwrte.log
2009-11-22 19:19:20 86016 ----a-w- c:\windows\inf\infpub.dat
2009-11-22 19:19:20 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-22 19:19:20 143360 ----a-w- c:\windows\inf\infstor.dat
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-31 13:58:27 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-10 16:48:01 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 02:01:02 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-09-10 02:00:54 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-09-10 02:00:36 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-09-04 11:41:59 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2008-05-25 20:26:25 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-08-24 16:21:29 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2009-01-21 23:29:46 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009012120090122\index.dat
2009-08-24 16:21:29 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009082420090825\index.dat
2007-01-05 20:18:45 8192 --sha-w- c:\windows\users\default\NTUSER.DAT
2006-11-02 12:35:02 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\WinMail.exe
============= FINISH: 11:41:51.87 ===============
Hi,
Are all windows getting minimized/lost focus? I see you have signs of AVG there. Did the problem begin while AVG was still running? This issue is discussed on AVG Forums here (http://forums.avg.com/ww-en/avg-free-forum?sec=thread&act=show&id=41015#post_41015).
No minimize or focus problems. I did have a what I thought was a Google redirect problem about a month ago but it was happening with Bing also. I ran the Google redirect fix anyway and it seemed to clear up. I don't have AVG anymore. I have used NOD32 for the last few years. I didn't realize the services were still there. They weren't running but I disabled them anyway. Is there anything else I can try? It seems odd that I can run scans with NOD32 or a-squared but not spybot or HJT. Neither one of them found anything though.
Hi,
Thanks for the extra info. You can use this (http://download.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe) to remove AVG remnants.
Let's do a bit more checking.
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
GMER crapped out twice. The first time it ran for about 3 minutes then disappeared. I tried it a second time and as soon as I hit Scan my PC crashed. The BSOD said a program was attempting to write to read only memory.
Hi,
Did you try in safe mode? If it still doesn't work, deselect devices and sections on GMER options and see if you're able to run that way.
Safe mode did not work. I was, however, able to run it in regular mode after deselecting sections and devices.
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-27 11:10:26
Windows 6.0.6002 Service Pack 2
Running: wdqiqb6y.exe; Driver: C:\Users\John\AppData\Local\Temp\fflyapow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAlpcConnectPort [0x988D5AF2]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAssignProcessToJobObject [0x988D1B4A]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwClose [0x988B1C16]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwConnectPort [0x988D414E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateFile [0x988A9DA2]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateKey [0x988BAD92]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcess [0x988C9646]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcessEx [0x988CA15E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSection [0x988A82FE]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSymbolicLinkObject [0x988BA682]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateThread [0x988C7CC6]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteFile [0x988B8F26]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteKey [0x988BCD4E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteValueKey [0x988C47A2]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwLoadDriver [0x988C6666]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwMakeTemporaryObject [0x988B9D86]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenFile [0x988B00CF]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenKey [0x988BC154]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenProcess [0x988CC8B6]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenSection [0x988A8D5E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenThread [0x988CBB36]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwProtectVirtualMemory [0x988D3342]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0x988B2C8D]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryKey [0x988BDB82]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryValueKey [0x988BE65E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueueApcThread [0x988D0D92]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRenameKey [0x988C369E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwReplaceKey [0x988C0216]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestPort [0x988D6636]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestWaitReplyPort [0x988D6C1A]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRestoreKey [0x988C2B6A]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKey [0x988C16CA]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKeyEx [0x988C2112]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSecureConnectPort [0x988D4E36]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetContextThread [0x988D01B6]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationFile [0x988B4BDE]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetSystemInformation [0x988C59C2]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetValueKey [0x988BF1BA]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendProcess [0x988CEEE6]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendThread [0x988CF80E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSystemDebugControl [0x988D781A]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateProcess [0x988CD66E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateThread [0x988CE386]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwUnloadDriver [0x988C723E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteVirtualMemory [0x988D25E6]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateThreadEx [0x988C897E]
SSDT \SystemRoot\system32\DRIVERS\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateUserProcess [0x988CAD02]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\a-squared Anti-Malware\a2service.exe[852] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [00454AB4] C:\Program Files\a-squared Anti-Malware\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Program Files\a-squared Anti-Malware\a2service.exe[852] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [00454AB4] C:\Program Files\a-squared Anti-Malware\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73E37817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73E8A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73E3BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73E2F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73E375E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73E2E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73E68395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73E3DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73E2FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73E2FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73E271CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73EBCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73E5C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73E2D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73E26853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73E2687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73E32AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [10002A60] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!SizeofResource] [10001230] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadResource] [100011F0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!CompareStringW] [100016A0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [10002A60] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CompareStringW] [100016A0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!FindResourceW] [100011A0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!SizeofResource] [10001230] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadResource] [100011F0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [10002A60] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!FindResourceW] [100011A0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CompareStringW] [100016A0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!SizeofResource] [10001230] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [10002A60] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadResource] [100011F0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [10002A60] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!CompareStringW] [100016A0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!CompareStringW] [100016A0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [10002A60] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\ole32.dll [USER32.dll!SetFocus] [10001790] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\ole32.dll [USER32.dll!MessageBoxW] [100014F0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadResource] [100011F0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindResourceW] [100011A0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SizeofResource] [10001230] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CompareStringW] [100016A0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [10002A60] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!LoadMenuW] [10001270] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!SetParent] [100014C0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!MessageBoxW] [100014F0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!SizeofResource] [10001230] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!FindResourceW] [100011A0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadResource] [100011F0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002A60] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!CompareStringW] [100016A0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHELL32.dll [USER32.dll!MessageBoxW] [100014F0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHELL32.dll [USER32.dll!SetParent] [100014C0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHELL32.dll [USER32.dll!LoadMenuW] [10001270] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [10001F40] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHELL32.dll [USER32.dll!SetWindowPos] [100017C0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHELL32.dll [USER32.dll!SetFocus] [10001790] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!UrlEscapeW] [10002050] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [10002A60] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!CompareStringW] [100016A0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!SizeofResource] [10001230] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadResource] [100011F0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\CRYPT32.dll [USER32.dll!MessageBoxW] [100014F0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!CompareStringW] [100016A0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!FindResourceW] [100011A0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [10002A60] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadResource] [100011F0] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [10002A60] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [10002A60] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
IAT C:\Program Files\Windows Sidebar\sidebar.exe[3224] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [10002A60] C:\Program Files\Windows Sidebar\sfc.dll (Windows Sidebar Extension/Stanimir Stoyanov)
---- Threads - GMER 1.0.15 ----
Thread System [4:416] 8D123930
---- EOF - GMER 1.0.15 ----
Hi again,
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Update: I tried running GMER again with everything selected. This time I was able to catch where it failed. In Sections: C:\windows\system32\drivers it stopped and gave me a BSOD when it got to the file fflyapow.sys. I copied the stop info and the address info. Is this any help?
Hi,
I don't believe those error codes will help at this point. Better run ComboFix now (right click its icon and select run as administrator).
ComboFix didn't act exactly as described and had to be restarted once but, be that as it may, here is the log.
ComboFix 09-11-26.02 - John 11/27/2009 12:46:07.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3069.1656 [GMT -5:00]
Running from: C:\Users\John\Desktop\ComboFix.exe
AV: a-squared Anti-Malware *On-access scanning disabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
FW: Outpost Firewall Pro *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
SP: Outpost Firewall Pro *disabled* (Updated) {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
/wow section - STAGE 1
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\$RECYCLE.BIN\S-1-5-21-918056312-2952985149-2686913973-500
C:\Users\John\AppData\Roaming\.#
C:\VDM2A19.tmp
C:\VDM2A1A.tmp
C:\Windows\system32\twain_32.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.
2009-11-27 18:24:11 . 2009-11-27 18:24:11 0 d-----w- C:\Users\Default\AppData\Local\temp
2009-11-26 20:08:43 . 2009-11-26 20:08:43 4045527 ----a-w- C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-26 20:08:22 . 2009-09-10 19:53:50 19160 ----a-w- C:\Windows\system32\drivers\mbam.sys
2009-11-26 20:08:10 . 2009-09-10 19:54:06 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
2009-11-26 20:08:07 . 2009-11-27 14:36:59 4096 d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-24 22:38:21 . 2009-10-29 09:17:42 2048 ----a-w- C:\Windows\system32\tzres.dll
2009-11-24 22:37:06 . 2009-08-11 16:44:26 1401856 ----a-w- C:\Windows\system32\msxml6.dll
2009-11-24 22:37:02 . 2009-08-11 16:44:26 1248768 ----a-w- C:\Windows\system32\msxml3.dll
2009-11-22 21:26:20 . 2009-05-07 07:04:50 157712 ----a-w- C:\Windows\system32\drivers\tmcomm.sys
2009-11-22 20:58:51 . 2009-11-22 20:59:08 4096 d-----w- C:\Program Files\ERUNT
2009-11-22 20:09:11 . 2009-11-22 20:12:31 8192 d-----w- C:\Program Files\Spybot - Search & Destroy
2009-11-22 19:24:07 . 2009-11-22 19:24:18 0 d-----w- C:\Windows\system32\Adobe
2009-11-22 19:18:08 . 2007-07-12 07:50:27 319984 ------w- C:\ProgramData\HP\Installer\Temp\difxapi.dll
2009-11-22 19:13:21 . 2006-09-29 17:09:50 534528 ------w- C:\ProgramData\HP\Installer\Temp\dpinst_x32\dpinst.exe
2009-11-21 17:08:35 . 2009-11-21 17:08:35 0 d-----w- C:\Users\John\AppData\Local\Microsoft Corporation
2009-11-21 17:07:56 . 2009-11-21 17:07:57 4096 d-----w- C:\Program Files\Microsoft Windows 7 Upgrade Advisor
2009-11-20 00:29:48 . 2009-11-20 00:29:55 0 d-----w- C:\Diskeeper
2009-11-19 23:15:34 . 2009-10-21 06:04:34 45232 ----a-w- C:\Windows\system32\drivers\DKRtWrt.sys
2009-11-19 23:15:30 . 2009-11-19 23:15:30 0 d-----w- C:\Program Files\Common Files\Diskeeper Corporation
2009-11-19 23:15:29 . 2009-11-19 23:15:29 0 d-----w- C:\ProgramData\Diskeeper Corporation
2009-11-19 23:15:26 . 2009-11-19 23:15:26 0 d-----w- C:\Program Files\Windows Home Server
2009-11-11 22:29:53 . 2009-08-14 13:27:17 2036736 ----a-w- C:\Windows\system32\win32k.sys
2009-11-11 22:29:50 . 2009-08-10 12:35:06 355328 ----a-w- C:\Windows\system32\WSDApi.dll
2009-10-31 13:58:32 . 2009-10-31 13:58:32 0 d-----w- C:\Program Files\Windows Portable Devices
2009-10-31 13:46:59 . 2009-09-25 01:31:53 519680 ----a-w- C:\Windows\system32\d3d11.dll
2009-10-31 13:45:34 . 2009-10-08 21:08:01 555520 ----a-w- C:\Windows\system32\UIAutomationCore.dll
2009-10-31 13:45:34 . 2009-10-08 21:08:01 234496 ----a-w- C:\Windows\system32\oleacc.dll
2009-10-31 13:45:34 . 2009-10-08 21:07:59 4096 ----a-w- C:\Windows\system32\oleaccrc.dll
2009-10-31 13:43:29 . 2009-09-10 14:58:28 310784 ----a-w- C:\Windows\system32\unregmp2.exe
2009-10-31 13:43:22 . 2009-09-10 14:59:26 8147456 ----a-w- C:\Windows\system32\wmploc.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 18:35:20 . 2008-11-09 19:17:58 720 ----a-w- C:\ProgramData\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-11-27 18:34:56 . 2007-12-16 22:24:03 33545 ----a-w- C:\Windows\system32\drivers\stwrte.log
2009-11-27 16:40:36 . 2007-12-10 22:42:36 32768 d-----w- C:\Users\John\AppData\Roaming\MailWasherPro
2009-11-27 03:02:27 . 2008-04-20 20:26:53 4096 d-----w- C:\ProgramData\Google Updater
2009-11-23 20:46:32 . 2007-12-10 02:47:37 165232 ---ha-w- C:\Users\John\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
2009-11-22 20:50:34 . 2008-12-26 21:12:07 4096 d-----w- C:\ProgramData\Spybot - Search & Destroy
2009-11-22 19:59:05 . 2006-11-28 05:59:31 4096 d-----w- C:\Program Files\Java
2009-11-22 19:09:21 . 2006-12-02 22:10:54 0 d-----w- C:\Program Files\Common Files\HP
2009-11-22 19:06:35 . 2006-12-02 22:11:46 4096 d-----w- C:\ProgramData\HP
2009-11-22 19:05:45 . 2006-12-02 21:45:49 4096 d-----w- C:\Program Files\HP
2009-11-22 01:38:16 . 2009-01-24 22:41:17 12288 d-----w- C:\Program Files\a-squared Anti-Malware
2009-11-19 23:15:25 . 2007-01-28 21:38:42 0 d-----w- C:\Program Files\Diskeeper Corporation
2009-11-15 18:26:05 . 2008-03-30 20:05:41 3658 ----a-w- C:\ProgramData\Intuit\QuickBooks 2008\qbbackup.sys
2009-11-11 01:09:03 . 2007-08-25 14:16:01 4096 d-----w- C:\Program Files\Savings Bond Wizard
2009-11-09 10:00:15 . 2007-07-14 20:47:31 8192 d-----w- C:\Program Files\Picasa2
2009-11-03 23:31:43 . 2007-03-11 21:07:43 4096 d-----w- C:\Program Files\1-Click Answers
2009-11-03 01:42:06 . 2009-10-03 15:05:06 195456 ------w- C:\Windows\system32\MpSigStub.exe
2009-10-31 13:58:27 . 2006-11-02 10:25:05 665600 ----a-w- C:\Windows\inf\drvindex.dat
2009-10-31 13:58:03 . 2009-10-31 13:58:03 0 ---ha-w- C:\Windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-19 22:36:54 . 2007-01-28 19:04:11 4096 d-----w- C:\Program Files\Common Files\Adobe
2009-10-14 22:00:58 . 2006-11-02 11:18:33 4096 d-----w- C:\Program Files\Windows Mail
2009-10-11 09:17:27 . 2008-11-08 20:51:07 411368 ----a-w- C:\Windows\system32\deploytk.dll
2009-10-02 07:25:06 . 2008-03-30 20:03:37 849184 ----a-w- C:\ProgramData\Intuit\QuickBooks 2008\Components\DownloadQB18\Patch\qbpatch.exe
2009-10-01 01:02:17 . 2009-10-31 13:46:29 2537472 ----a-w- C:\Windows\system32\wpdshext.dll
2009-10-01 01:02:05 . 2009-10-31 13:46:34 30208 ----a-w- C:\Windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 . 2009-10-31 13:46:29 334848 ----a-w- C:\Windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 . 2009-10-31 13:46:29 87552 ----a-w- C:\Windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 . 2009-10-31 13:46:33 31232 ----a-w- C:\Windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 . 2009-10-31 13:46:29 546816 ----a-w- C:\Windows\system32\wpd_ci.dll
2009-10-01 01:01:59 . 2009-10-31 13:46:29 160256 ----a-w- C:\Windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 . 2009-10-31 13:46:31 60928 ----a-w- C:\Windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 . 2009-10-31 13:46:29 350208 ----a-w- C:\Windows\system32\WPDSp.dll
2009-10-01 01:01:56 . 2009-10-31 13:46:29 196608 ----a-w- C:\Windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 . 2009-10-31 13:46:29 100864 ----a-w- C:\Windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 . 2009-10-31 13:46:33 81920 ----a-w- C:\Windows\system32\wpdbusenum.dll
2009-09-25 02:10:10 . 2009-10-31 13:47:00 974848 ----a-w- C:\Windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 . 2009-10-31 13:47:00 189440 ----a-w- C:\Windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 . 2009-10-31 13:47:00 321024 ----a-w- C:\Windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 . 2009-10-31 13:47:00 1554432 ----a-w- C:\Windows\system32\xpsservices.dll
2009-09-25 01:48:08 . 2009-10-31 13:47:00 351232 ----a-w- C:\Windows\system32\XpsPrint.dll
2009-09-25 01:38:29 . 2009-10-31 13:47:00 847360 ----a-w- C:\Windows\system32\OpcServices.dll
2009-09-25 01:36:13 . 2009-10-31 13:47:00 280064 ----a-w- C:\Windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 . 2009-10-31 13:47:01 135680 ----a-w- C:\Windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 . 2009-10-31 13:47:00 195584 ----a-w- C:\Windows\system32\dxdiagn.dll
2009-09-25 01:33:15 . 2009-10-31 13:47:01 829440 ----a-w- C:\Windows\system32\d3d10warp.dll
2009-09-25 01:33:01 . 2009-10-31 13:47:02 369664 ----a-w- C:\Windows\system32\WMPhoto.dll
2009-09-25 01:32:59 . 2009-10-31 13:47:00 252928 ----a-w- C:\Windows\system32\dxdiag.exe
2009-09-25 01:31:26 . 2009-10-31 13:46:59 486912 ----a-w- C:\Windows\system32\d3d10level9.dll
2009-09-25 01:31:21 . 2009-10-31 13:46:59 161280 ----a-w- C:\Windows\system32\d3d10_1.dll
2009-09-25 01:31:19 . 2009-10-31 13:46:59 218112 ----a-w- C:\Windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 . 2009-10-31 13:46:59 1030144 ----a-w- C:\Windows\system32\d3d10.dll
2009-09-25 01:31:15 . 2009-10-31 13:47:00 828928 ----a-w- C:\Windows\system32\d2d1.dll
2009-09-25 01:30:23 . 2009-10-31 13:46:59 481792 ----a-w- C:\Windows\system32\dxgi.dll
2009-09-25 01:30:23 . 2009-10-31 13:46:59 190464 ----a-w- C:\Windows\system32\d3d10core.dll
2009-09-25 01:27:25 . 2009-10-31 13:47:01 634880 ----a-w- C:\Windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27:04 . 2009-10-31 13:47:02 37888 ----a-w- C:\Windows\system32\cdd.dll
2009-09-25 01:27:04 . 2009-10-31 13:46:59 793088 ----a-w- C:\Windows\system32\FntCache.dll
2009-09-25 01:27:04 . 2009-10-31 13:46:59 1064448 ----a-w- C:\Windows\system32\DWrite.dll
2009-09-24 22:54:55 . 2009-10-31 13:47:02 258048 ----a-w- C:\Windows\system32\winspool.drv
2009-09-24 22:54:53 . 2009-10-31 13:47:00 667648 ----a-w- C:\Windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 . 2009-10-31 13:47:01 26112 ----a-w- C:\Windows\system32\printfilterpipelineprxy.dll
2009-09-14 09:29:50 . 2009-10-14 21:46:35 144896 ----a-w- C:\Windows\system32\drivers\srv2.sys
2009-09-10 20:25:14 . 2008-03-22 14:31:42 127640 ----a-w- C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-10 16:48:01 . 2009-10-14 21:46:50 218624 ----a-w- C:\Windows\system32\msv1_0.dll
2009-09-10 02:01:02 . 2009-10-31 13:47:32 3023360 ----a-w- C:\Windows\system32\UIRibbon.dll
2009-09-10 02:00:54 . 2009-10-31 13:47:33 1164800 ----a-w- C:\Windows\system32\UIRibbonRes.dll
2009-09-10 02:00:36 . 2009-10-31 13:47:33 92672 ----a-w- C:\Windows\system32\UIAnimation.dll
2009-09-04 11:41:59 . 2009-10-14 21:47:30 60928 ----a-w- C:\Windows\system32\msasn1.dll
2007-01-05 20:18:45 . 2007-01-05 20:18:45 8192 --sha-w- C:\Windows\Users\Default\NTUSER.DAT
2006-11-02 12:35:02 . 2006-11-02 12:35:02 397312 --sha-w- C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\WinMail.exe
.
I was able to run HJT. Log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:45 PM, on 11/27/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\1-Click Answers\answers.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\1-CLIC~1\agtserv.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: 1-Click Answers - {7754C418-F62E-44aa-B169-E719E718BCFD} - C:\PROGRA~1\1-CLIC~1\IETOOL~1\ANSWER~1.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [Vista_upgrade] C:\Users\John\Local Settings\Application Data\DellVistaUpgrade\Vista_Upgrade.exe
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~2\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CtxfiReg] CTXFIREG.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WheresJames Startup Manager] C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: 1-Click Answers.lnk = C:\Program Files\1-Click Answers\answers.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall Pro\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166907923062
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: c:\PROGRA~1\Agnitum\OUTPOS~2\wl_hook.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~2\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Commander Service - Unknown owner - C:\Program Files\Seagull\BarTender\7.74\CmdrSrv.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
--
End of file - 11932 bytes
SpyBot also seems to be OK. It's running now.
Hi,
ComboFix got run only partially.
Please disable your antivirus protection and Outpost firewall. Then run ComboFix (right click its icon and select 'run as administrator') again.
How long should it take for ComboFix to create a system restore point? Would a half hour be too long?
Sounds like rather long time for pure restore point creation. Please try to run in safe mode with 'run as administrator' option. If ComboFix needs a reboot ensure that it reboots back into safe mode.
I think we have a winner.
ComboFix 09-11-27.03 - John 11/27/2009 18:33.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3069.1689 [GMT -5:00]
Running from: c:\users\John\Desktop\ComboFix.exe
AV: a-squared Anti-Malware *On-access scanning disabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
FW: Outpost Firewall Pro *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
SP: Outpost Firewall Pro *disabled* (Updated) {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
/wow section - STAGE 1
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\VDM2A19.tmp
C:\VDM2A1A.tmp
c:\windows\system32\twain_32.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.
2009-11-26 20:08 . 2009-11-26 20:08 4045527 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-26 20:08 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 20:08 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 20:08 . 2009-11-27 14:36 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 22:38 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 22:37 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-24 22:37 . 2009-08-11 16:44 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-22 21:26 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-22 20:58 . 2009-11-22 20:59 4096 d-----w- c:\program files\ERUNT
2009-11-22 20:09 . 2009-11-22 20:12 8192 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-22 19:24 . 2009-11-22 19:24 -------- d-----w- c:\windows\system32\Adobe
2009-11-22 19:18 . 2007-07-12 07:50 319984 ------w- c:\programdata\HP\Installer\Temp\difxapi.dll
2009-11-22 19:13 . 2006-09-29 17:09 534528 ------w- c:\programdata\HP\Installer\Temp\dpinst_x32\dpinst.exe
2009-11-21 17:08 . 2009-11-21 17:08 -------- d-----w- c:\users\John\AppData\Local\Microsoft Corporation
2009-11-21 17:07 . 2009-11-21 17:07 4096 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-11-20 00:29 . 2009-11-20 00:29 -------- d-----w- C:\Diskeeper
2009-11-19 23:15 . 2009-10-21 06:04 45232 ----a-w- c:\windows\system32\drivers\DKRtWrt.sys
2009-11-19 23:15 . 2009-11-19 23:15 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation
2009-11-19 23:15 . 2009-11-19 23:15 -------- d-----w- c:\programdata\Diskeeper Corporation
2009-11-19 23:15 . 2009-11-19 23:15 -------- d-----w- c:\program files\Windows Home Server
2009-11-11 22:29 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 22:29 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-10-31 13:58 . 2009-10-31 13:58 -------- d-----w- c:\program files\Windows Portable Devices
2009-10-31 13:46 . 2009-09-25 01:31 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-10-31 13:45 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-31 13:45 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-31 13:45 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-31 13:43 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-31 13:43 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 00:42 . 2008-11-09 19:17 720 ----a-w- c:\programdata\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-11-28 00:41 . 2007-12-16 22:24 34257 ----a-w- c:\windows\system32\drivers\stwrte.log
2009-11-27 22:02 . 2007-12-10 22:42 32768 d-----w- c:\users\John\AppData\Roaming\MailWasherPro
2009-11-27 03:02 . 2008-04-20 20:26 4096 d-----w- c:\programdata\Google Updater
2009-11-23 20:46 . 2007-12-10 02:47 165232 ---ha-w- c:\users\John\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
2009-11-22 20:50 . 2008-12-26 21:12 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-22 19:59 . 2006-11-28 05:59 4096 d-----w- c:\program files\Java
2009-11-22 19:09 . 2006-12-02 22:10 -------- d-----w- c:\program files\Common Files\HP
2009-11-22 19:06 . 2006-12-02 22:11 4096 d-----w- c:\programdata\HP
2009-11-22 19:05 . 2006-12-02 21:45 4096 d-----w- c:\program files\HP
2009-11-22 01:38 . 2009-01-24 22:41 12288 d-----w- c:\program files\a-squared Anti-Malware
2009-11-19 23:15 . 2007-01-28 21:38 -------- d-----w- c:\program files\Diskeeper Corporation
2009-11-15 18:26 . 2008-03-30 20:05 3658 ----a-w- c:\programdata\Intuit\QuickBooks 2008\qbbackup.sys
2009-11-11 01:09 . 2007-08-25 14:16 4096 d-----w- c:\program files\Savings Bond Wizard
2009-11-09 10:00 . 2007-07-14 20:47 8192 d-----w- c:\program files\Picasa2
2009-11-03 23:31 . 2007-03-11 21:07 4096 d-----w- c:\program files\1-Click Answers
2009-11-03 01:42 . 2009-10-03 15:05 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-31 13:58 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-31 13:58 . 2009-10-31 13:58 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-19 22:36 . 2007-01-28 19:04 4096 d-----w- c:\program files\Common Files\Adobe
2009-10-14 22:00 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-10-11 09:17 . 2008-11-08 20:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-02 07:25 . 2008-03-30 20:03 849184 ----a-w- c:\programdata\Intuit\QuickBooks 2008\Components\DownloadQB18\Patch\qbpatch.exe
2009-10-01 01:02 . 2009-10-31 13:46 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-10-31 13:46 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-10-31 13:46 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-10-31 13:46 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-10-31 13:46 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-10-31 13:46 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-10-31 13:46 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-10-31 13:46 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-10-31 13:46 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-10-31 13:46 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-10-31 13:46 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-10-31 13:46 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-09-25 02:10 . 2009-10-31 13:47 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-31 13:47 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-31 13:47 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-10-31 13:47 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-10-31 13:47 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-10-31 13:47 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-10-31 13:47 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-10-31 13:47 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-10-31 13:47 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-10-31 13:47 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-10-31 13:47 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-10-31 13:47 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-10-31 13:46 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-10-31 13:46 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-10-31 13:46 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-10-31 13:46 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-10-31 13:47 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-10-31 13:46 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-10-31 13:46 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-10-31 13:47 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-10-31 13:47 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-10-31 13:46 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-10-31 13:46 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-10-31 13:47 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-10-31 13:47 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-10-31 13:47 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-14 09:29 . 2009-10-14 21:46 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 20:25 . 2008-03-22 14:31 127640 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-10 16:48 . 2009-10-14 21:46 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 02:01 . 2009-10-31 13:47 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-09-10 02:00 . 2009-10-31 13:47 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-09-10 02:00 . 2009-10-31 13:47 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-09-04 11:41 . 2009-10-14 21:47 60928 ----a-w- c:\windows\system32\msasn1.dll
2007-01-05 20:18 . 2007-01-05 20:18 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
2006-11-02 12:35 . 2006-11-02 12:35 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\WinMail.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2006-12-12 28672]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe MSRun" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-11 178712]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2008-07-15 435528]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~2\op_mon.exe" [2008-07-15 1153352]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-03-17 570664]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"CTHelper"="CTHELPER.EXE" - c:\windows\System32\CtHelper.exe [2006-12-12 19456]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\System32\CTXFIHLP.EXE [2006-12-12 20480]
"CtxfiReg"="CTXFIREG.EXE" - c:\windows\System32\CTXFIREG.EXE [2006-12-12 44032]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
1-Click Answers.lnk - c:\program files\1-Click Answers\answers.exe [2007-3-11 798720]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Agnitum\OUTPOS~2\wl_hook.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):a6,ca,1a,7b,f4,ea,c9,01
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1002608937-2175423900-1745845827-1006]
"EnableNotificationsRef"=dword:00000001
R1 afw;Agnitum Firewall Driver;c:\windows\System32\drivers\afw.sys [12/9/2007 1:34 PM 28688]
R1 ehdrv;ehdrv;c:\windows\System32\drivers\ehdrv.sys [2/6/2009 1:23 PM 106208]
R1 SandBox;SandBox;c:\windows\System32\drivers\SandBox.sys [10/10/2008 4:49 PM 673920]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~2\acs.exe [12/9/2007 1:34 PM 1238344]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/6/2009 1:23 PM 727720]
R2 epfwwfpr;epfwwfpr;c:\windows\System32\drivers\epfwwfpr.sys [2/6/2009 1:24 PM 92800]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/26/2009 3:08 PM 269648]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [11/22/2009 3:09 PM 1153368]
R3 afwcore;afwcore;c:\windows\System32\drivers\afwcore.sys [10/10/2008 4:49 PM 242704]
R3 cxbu0wdm;CardMan 3x21;c:\windows\System32\drivers\cxbu0wdm.sys [1/15/2008 11:39 AM 97792]
R3 DKRtWrt;DKRtWrt;c:\windows\System32\drivers\DKRtWrt.sys [11/19/2009 6:15 PM 45232]
R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [11/26/2009 3:08 PM 19160]
R3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [11/2/2006 5:25 AM 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [11/2/2006 5:25 AM 251904]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
S3 ASWFilt;ASWFilt;c:\windows\System32\Filt\ASWFilt.dll [10/10/2008 4:49 PM 33408]
S3 Commander Service;Commander Service;c:\program files\Seagull\BarTender\7.74\CmdrSrv.exe --> c:\program files\Seagull\BarTender\7.74\CmdrSrv.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [5/25/2008 2:34 PM 21504]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [6/19/2009 3:59 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [1/29/2009 4:18 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\System32\drivers\motodrv.sys [5/8/2009 10:56 AM 42752]
S3 motport;Motorola USB Diagnostic Port;c:\windows\System32\drivers\motport.sys [1/29/2009 4:15 PM 23680]
--- Other Services/Drivers In Memory ---
*Deregistered* - AMON
*Deregistered* - nod32drv
*Deregistered* - NOD32krn
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WudfServiceGroup REG_MULTI_SZ WUDFSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-11-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]
2009-11-27 c:\windows\Tasks\Malwarebytes' Scheduled Scan for John.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-11-26 19:53]
2009-11-27 c:\windows\Tasks\Malwarebytes' Scheduled Update for John.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-11-26 19:53]
2009-11-28 c:\windows\Tasks\User_Feed_Synchronization-{4FF4E474-DC1F-4154-861C-58E20F0D116F}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]
2009-11-28 c:\windows\Tasks\User_Feed_Synchronization-{A1AF7671-31E0-4BED-BBB9-946907EA400B}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]
2009-11-28 c:\windows\Tasks\User_Feed_Synchronization-{E143C68F-1647-431E-8400-33CEB4C0595C}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} - hxxp://media.labs.live.com/all/ps/_code_/Photosynth.cab
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-WheresJames Startup Manager - c:\program files\WheresJames\StartupMgr\StartupMgr.exe
HKLM-Run-Vista_upgrade - c:\users\John\Local Settings\Application Data\DellVistaUpgrade\Vista_Upgrade.exe
HKLM-Run-AudioDrvEmulator - c:\program files\Creative\Shared Files\Module Loader\DLLML.exe
AddRemove-Agnitum Outpost Firewall Pro - c:\progra~1\Agnitum\OUTPOS~1\uninst.exe
AddRemove-CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1 - c:\program files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE
AddRemove-Dell Game Console - c:\program files\WildTangent\Apps\Dell Game Console\Uninstall.exe
AddRemove-Monumental Battlefields - c:\windows\ss3unstl.exe Monumental Battlefields
AddRemove-Tweak UI 2.10 - c:\windows\system32\mshta.exe res://c:\windows\system32\TweakUI.exe/uninstall.hta
AddRemove-Windows Live Toolbar - c:\program files\Windows Live Toolbar\UnInstall.exe {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 19:42
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(3520)
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\a-squared Anti-Malware\a2service.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\WUDFHost.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2009-11-27 20:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-28 01:40
Pre-Run: 121,211,273,216 bytes free
Post-Run: 115,939,090,432 bytes free
- - End Of File - - EFD9F506CAA7147EB7A5C2FC9134BABD
Looks good. Please uninstall outdated & vulnerable Java(TM) 6 Update 7.
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
A To disable the System Restore feature:
1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Uncheck any checkboxes listed for your hard drives.
7. Press OK.
B. Reboot.
C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 6. check any checkboxes listed for your hard drives.
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Hi Blade,
Everything seems fine so far. I reset the system restore point and created a fresh one. I ran OTC and what it didn't delete I deleted. The IE settings you recommended were already set. As far as my AV and firewall, NOD32 updates automatically daily and Outpost automatically updates when they have one. My Microsoft Update is set to prompt me when new updates are available. As soon as I get the prompt I download and install. So, with that said, I guess I'm good to go. I really thank you for all your help. Because I've been in IT for so long I'm usually the one friends and family come to with problems but, this one had me stumped. Once again, Thanks again.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.