View Full Version : Browser redirect and will not let me update Spybot etc
mikepoet
2010-02-01, 21:35
Hello. Read the 'Read this first' and run Spybot, Adaware, Malwarebyte and Avast. All clean apart from every time I restart Malwarebyte comes up with the same Trojan in the Registry.
See below for Hijack This file. Any help much appreciated.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:30:56, on 01/02/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\mskgzq32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\Mike\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?
LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\mskgzq32.exe,
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office
\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files
\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin
\jp2ssv.dll
O3 - Toolbar: (no name) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update
\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
/runcleanupscript
O4 - HKCU\..\Run: [EPSON SX100 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIEDE.EXE /FU "C:\Windows
\TEMP\E_S115E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = Mike\AppData\Roaming\Dropbox\bin\Dropbox.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:
\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:
\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:
\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26ACF4ED-D793-4F1E-BC45-2DEEE3C3DCD0}: NameServer =
93.188.163.157,93.188.166.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{85E9855C-0E6C-48B9-8723-2FEF21ADC0CE}: NameServer =
93.188.163.157,93.188.166.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.157,93.188.166.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{26ACF4ED-D793-4F1E-BC45-2DEEE3C3DCD0}: NameServer =
93.188.163.157,93.188.166.15
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.157,93.188.166.15
O17 - HKLM\System\CS2\Services\Tcpip\..\{26ACF4ED-D793-4F1E-BC45-2DEEE3C3DCD0}: NameServer =
93.188.163.157,93.188.166.15
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.157,93.188.166.15
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office
\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin
\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software
\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3
SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3
SSRP\E_S40RP7.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision
Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater
\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot -
Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8443 bytes
Hello Mike,
Welcome to the forum. I cant read your HJT log the way you posted it , run it again and when it opens in Notepad, go to Format and make sure Wordwrap is unchecked
Post the log from Malwarebytes, you can find it by opening MBAM and going to Logs and open the log you ran, copy and paste the log into this thread
Post the MBAM log and a new HJT log please
mikepoet
2010-02-05, 08:47
Thanks for coming back to me Ken. New HJT and Malwarebytes log below. Look forward to hearing from you.
Mike
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:45:32, on 05/02/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Windows\system32\mskgzq32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\FCP Internet Ltd\Ensure\Ensure.exe
C:\Users\Mike\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\FCP Internet Ltd\Evolve\v5.0\Evolve.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Aladdin\eToken\PKIClient\x32\pkimonitor.exe
C:\Program Files\VSO\ConvertX\4\ConvertXtoDvd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\mskgzq32.exe,
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [eTMonitor] "C:\Program Files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe"
O4 - HKCU\..\Run: [EPSON SX100 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIEDE.EXE /FU "C:\Windows\TEMP\E_S115E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [userinit] C:\Users\Mike\AppData\Roaming\mscmgu32.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = Mike\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: evolve.lnk = C:\Program Files\FCP Internet Ltd\Evolve\v5.0\Evolve.exe
O4 - Global Startup: Ensure.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26ACF4ED-D793-4F1E-BC45-2DEEE3C3DCD0}: NameServer = 93.188.163.157,93.188.166.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{85E9855C-0E6C-48B9-8723-2FEF21ADC0CE}: NameServer = 93.188.163.157,93.188.166.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.157,93.188.166.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{26ACF4ED-D793-4F1E-BC45-2DEEE3C3DCD0}: NameServer = 93.188.163.157,93.188.166.15
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.157,93.188.166.15
O17 - HKLM\System\CS2\Services\Tcpip\..\{26ACF4ED-D793-4F1E-BC45-2DEEE3C3DCD0}: NameServer = 93.188.163.157,93.188.166.15
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.157,93.188.166.15
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Ensure Service (EnsureServ) - Unknown owner - C:\Program Files\FCP Internet Ltd\Ensure\EnsureServ.exe
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: ETOKSRV (eTSrv) - Aladdin Knowledge Systems, Ltd. - C:\Program Files\Aladdin\eToken\PKIClient\x32\eTSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9827 bytes
[B]Malwarebytes
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
01/02/2010 20:25:45
mbam-log-2010-02-01 (20-25-45).txt
Scan type: Full Scan (C:\|)
Objects scanned: 229768
Time elapsed: 51 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Good Morning Mike,
Before we proceed with any cleaning, run this quick Rootkit scanner and post the log
Please download RootRepeal from one of these locations and save it to your desktop
Here (http://ad13.geekstogo.com/RootRepeal.exe)
Here (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Here (http://rootrepeal.psikotick.com/RootRepeal.exe)
Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check just these boxes:
http://forums.whatthetech.com/uploads/monthly_08_2009/post-75503-1250480183.gif
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.
mikepoet
2010-02-05, 19:30
Hello again. I downloaded from all 3 places and kept getting the same error message. namely
FOPS - DeviceIOControl Error! Errorcode = 0xc0000024 Extended Info (0x000000dc)
When I try and run the scan it will not let me.
Not sure if it matters but I am running Windows 7.
Try this one Mike. You will have to Right click on it and select RUN AS ADMINISTRATOR
Please download Rooter Rootkit Detector (http://eric.71.mespages.googlepages.com/Rooter.exe) to your Desktop
Doubleclick it to start the tool.
A Notepad file containing the report will open, also found at %systemdrive% (usually C:\Rooter.txt.
Post the report for me to see.
mikepoet
2010-02-05, 20:04
Ken. Looks like I am going to be one of those PITA people. Downloaded and ran. Just as it gets to checking files it stops working. Have run multiple times both as an administrator and just as a user and same result.
Mike, the problem here is because Win 7 is new there are not to many tools available yet to clean infections.
Make sure the Teatimer in Spybot is disabled
Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking[/b]
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\mskgzq32.exe,
O17 - HKLM\System\CCS\Services\Tcpip\..\{26ACF4ED-D793-4F1E-BC45-2DEEE3C3DCD0}: NameServer = 93.188.163.157,93.188.166.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{85E9855C-0E6C-48B9-8723-2FEF21ADC0CE}: NameServer = 93.188.163.157,93.188.166.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.157,93.188.166.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{26ACF4ED-D793-4F1E-BC45-2DEEE3C3DCD0}: NameServer = 93.188.163.157,93.188.166.15
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.157,93.188.166.15
O17 - HKLM\System\CS2\Services\Tcpip\..\{26ACF4ED-D793-4F1E-BC45-2DEEE3C3DCD0}: NameServer = 93.188.163.157,93.188.166.15
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.157,93.188.166.15
Please download OTM (http://oldtimer.geekstogo.com/OTM.exe) by OldTimer.
Save it to your desktop.
Please click OTM and then click >> run.
Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Processes
explorer.exe
:Services
:Reg
:Files
C:\Windows\system32\mskgzq32.exe
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log and a new HJT log please
mikepoet
2010-02-05, 22:17
OTM File
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Windows\system32\mskgzq32.exe moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Mcx1-MIKE-LAPTOP
->Temp folder emptied: 516 bytes
->Temporary Internet Files folder emptied: 68207 bytes
User: Mike
->Temp folder emptied: 114956 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 103899341 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 99.00 mb
OTM by OldTimer - Version 3.1.8.0 log created on 02052010_210930
Files moved on Reboot...
File move failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
Registry entries deleted on Reboot...
HJT file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:15:46, on 05/02/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\notepad.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe
C:\Program Files\FCP Internet Ltd\Ensure\Ensure.exe
C:\Users\Mike\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\FCP Internet Ltd\Evolve\v5.0\Evolve.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [eTMonitor] "C:\Program Files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe"
O4 - HKCU\..\Run: [EPSON SX100 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIEDE.EXE /FU "C:\Windows\TEMP\E_S115E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [userinit] C:\Users\Mike\AppData\Roaming\msoypl32.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = Mike\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: evolve.lnk = C:\Program Files\FCP Internet Ltd\Evolve\v5.0\Evolve.exe
O4 - Global Startup: Ensure.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Ensure Service (EnsureServ) - Unknown owner - C:\Program Files\FCP Internet Ltd\Ensure\EnsureServ.exe
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: ETOKSRV (eTSrv) - Aladdin Knowledge Systems, Ltd. - C:\Program Files\Aladdin\eToken\PKIClient\x32\eTSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8790 bytes
Hello Mike
Remove this with HJT
O4 - HKCU\..\Run: [userinit] C:\Users\Mike\AppData\Roaming\msoypl32.exe
I would like you to run Malwarebytes again, here are the directions, make sure you check for updates
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please
mikepoet
2010-02-06, 06:51
Thanks again for all this Ken. Logs below
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:49:52, on 06/02/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\FCP Internet Ltd\Ensure\Ensure.exe
C:\Users\Mike\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\FCP Internet Ltd\Evolve\v5.0\Evolve.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [eTMonitor] "C:\Program Files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe"
O4 - HKCU\..\Run: [EPSON SX100 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIEDE.EXE /FU "C:\Windows\TEMP\E_S115E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [userinit] C:\Users\Mike\AppData\Roaming\msoypl32.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = Mike\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: evolve.lnk = C:\Program Files\FCP Internet Ltd\Evolve\v5.0\Evolve.exe
O4 - Global Startup: Ensure.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Ensure Service (EnsureServ) - Unknown owner - C:\Program Files\FCP Internet Ltd\Ensure\EnsureServ.exe
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: ETOKSRV (eTSrv) - Aladdin Knowledge Systems, Ltd. - C:\Program Files\Aladdin\eToken\PKIClient\x32\eTSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8720 bytes
[B]Malwarebytes
Malwarebytes' Anti-Malware 1.44
Database version: 3695
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
06/02/2010 05:48:51
mbam-log-2010-02-06 (05-48-51).txt
Scan type: Quick Scan
Objects scanned: 114532
Time elapsed: 7 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Good Morning Mike,
Remove this with Hijackthis
O4 - HKCU\..\Run: [userinit] C:\Users\Mike\AppData\Roaming\msoypl32.exe
Run this through OTM
:Processes
explorer.exe
:Services
:Reg
:Files
C:\Users\Mike\AppData\Roaming\msoypl32.exe
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Post the OTM log and a new HJT log please
mikepoet
2010-02-07, 21:04
Ken, apologies as I was away this weekend. Logs below.
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:01:48, on 07/02/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe
C:\Program Files\FCP Internet Ltd\Ensure\Ensure.exe
C:\Users\Mike\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\FCP Internet Ltd\Evolve\v5.0\Evolve.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [eTMonitor] "C:\Program Files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe"
O4 - HKCU\..\Run: [EPSON SX100 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIEDE.EXE /FU "C:\Windows\TEMP\E_S115E.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = Mike\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: evolve.lnk = C:\Program Files\FCP Internet Ltd\Evolve\v5.0\Evolve.exe
O4 - Global Startup: Ensure.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC0C02AA-3B8B-4F9B-B0D9-CBD993D7E367}: NameServer = 193.35.132.165 193.35.132.164
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Ensure Service (EnsureServ) - Unknown owner - C:\Program Files\FCP Internet Ltd\Ensure\EnsureServ.exe
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: ETOKSRV (eTSrv) - Aladdin Knowledge Systems, Ltd. - C:\Program Files\Aladdin\eToken\PKIClient\x32\eTSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8763 bytes
[B]OTM
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\Users\Mike\AppData\Roaming\msoypl32.exe not found.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Mcx1-MIKE-LAPTOP
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Mike
->Temp folder emptied: 20719 bytes
->Temporary Internet Files folder emptied: 1108995 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 5801047 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3525 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 7.00 mb
OTM by OldTimer - Version 3.1.8.0 log created on 02072010_195819
Files moved on Reboot...
File move failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
Registry entries deleted on Reboot...
Hello Mike,
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Mike, this program won't clean anything but will give me a nice report of your system
Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.com (http://www.techsupportforum.com/sectools/sUBs/dds)
DDS.scr (http://download.bleepingcomputer.com/sUBs/dds.scr)
DDS.pif (http://www.forospyware.com/sUBs/dds)
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results, click no to the Optional_Scan
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control Here (http://www.bleepingcomputer.com/forums/topic114351.html)
How are things running now ??
mikepoet
2010-02-07, 22:23
Ken see log below and attachment.
Everything seems to be running fine now. Will reboot and try again and if anything bad is happening will repost. Let me know if there is anything else needed.
Final thing I would ask is where I can best donate as this has been invaluable and great service. And taught me not to look for quick fixes to single problems.
Least I can do is donate something to what you consider the best recipient.
DDS
DDS (Ver_09-12-01.01) - NTFSx86
Run by Mike at 21:14:20.49 on 07/02/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_14
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.2038.761 [GMT 0:00]
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FCP Internet Ltd\Ensure\EnsureServ.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Aladdin\eToken\PKIClient\x32\eTSrv.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe
C:\Program Files\FCP Internet Ltd\Ensure\Ensure.exe
C:\Users\Mike\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\FCP Internet Ltd\Evolve\v5.0\Evolve.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mike\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.co.uk/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - No File
uRun: [EPSON SX100 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiede.exe /fu "c:\windows\temp\E_S115E.tmp" /EF "HKCU"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [avast!] "c:\program files\alwil software\avast4\ashDisp.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [eTMonitor] "c:\program files\aladdin\etoken\pkiclient\x32\PKIMonitor.exe"
mRun: [<NO NAME>]
StartupFolder: c:\users\mike\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\mike\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\mike\appdata\roaming\micros~1\windows\startm~1\programs\startup\evolve.lnk - c:\program files\fcp internet ltd\evolve\v5.0\Evolve.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ensure.lnk - c:\windows\installer\{d58e955c-525b-4384-bc7b-12af586002fe}\_18be6784.exe
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: evolvedb.co.uk
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {FC0C02AA-3B8B-4F9B-B0D9-CBD993D7E367} = 193.35.132.165 193.35.132.164
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\users\mike\appdata\roaming\mozilla\firefox\profiles\7w84jyqb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en&source=iglk
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-1 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-15 114768]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-15 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-15 53328]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-12 138680]
R2 EnsureMRx;EnsureMRx;c:\program files\fcp internet ltd\ensure\ensuremrx.sys [2009-11-13 122880]
R2 EnsureServ;Ensure Service;c:\program files\fcp internet ltd\ensure\EnsureServ.exe [2009-11-13 401408]
R2 eTSrv;ETOKSRV;c:\program files\aladdin\etoken\pkiclient\x32\eTSrv.exe [2009-12-31 12640]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-9 1153368]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-12 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-12 352920]
S3 AKSUP;AKSUP;c:\windows\system32\drivers\aksup.sys [2010-2-2 34472]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
=============== Created Last 30 ================
2010-02-05 21:09:30 0 d-----w- C:\_OTM
2010-02-02 20:13:02 48296 ----a-w- c:\windows\system32\drivers\aksifdh.sys
2010-02-02 20:13:02 34472 ----a-w- c:\windows\system32\drivers\aksup.sys
2010-02-02 20:12:44 0 d-----w- c:\program files\Aladdin
2010-02-02 19:34:25 0 d-----w- c:\program files\ieSpell
2010-02-02 19:27:42 0 d-----w- c:\program files\FCP Internet Ltd
2010-02-02 19:16:10 0 d-----w- c:\programdata\Sun
2010-02-01 04:58:42 0 d-----w- c:\users\mike\appdata\roaming\Malwarebytes
2010-02-01 04:58:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-01 04:58:29 0 d-----w- c:\programdata\Malwarebytes
2010-02-01 04:58:27 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 04:58:26 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 04:40:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-01 04:40:15 0 d-----w- c:\program files\Trend Micro
2010-02-01 04:39:31 0 dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-01 04:39:03 0 d-----w- c:\programdata\Lavasoft
2010-02-01 04:39:03 0 d-----w- c:\program files\Lavasoft
2010-01-31 15:26:54 0 d-----w- c:\program files\MSXML 4.0
2010-01-30 21:35:00 0 d-----w- c:\programdata\Nero
2010-01-30 21:02:53 0 d-----w- c:\windows\system32\BestPractices
2010-01-30 21:02:15 0 d-----w- C:\inetpub
2010-01-26 18:28:14 285696 ----a-w- c:\windows\system32\winlogon.exe
2010-01-26 18:28:14 2614272 ----a-w- c:\windows\explorer.exe
2010-01-22 19:30:10 0 d-----w- c:\program files\MSECache
2010-01-22 19:28:01 410984 ----a-w- c:\windows\system32\deploytk.dll
2010-01-21 20:42:05 977920 ----a-w- c:\windows\system32\wininet.dll
2010-01-21 20:36:57 0 d-----w- c:\programdata\Office Genuine Advantage
2010-01-20 22:26:55 0 d-----w- c:\programdata\FLEXnet
2010-01-20 22:17:36 0 d-----w- c:\program files\common files\Macrovision Shared
2010-01-18 19:31:51 0 d-----w- c:\users\mike\appdata\roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2010-01-18 19:31:51 0 d-----w- c:\programdata\Adobe
2010-01-18 19:31:42 0 d-----w- c:\program files\TweetDeck
2010-01-13 03:02:45 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-01-12 20:53:19 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-12 20:53:19 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-11 23:03:34 0 d-----w- c:\windows\system32\appmgmt
2010-01-09 15:35:20 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-09 15:35:20 0 d-----w- c:\program files\Spybot - Search & Destroy
==================== Find3M ====================
2010-01-14 11:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-31 10:16:40 140640 ----a-w- c:\windows\system32\etVerifier.dll
2009-12-31 10:16:38 11104 ----a-r- c:\windows\system32\eTSAPI.dll
2009-12-31 10:16:32 12128 ----a-w- c:\windows\system32\eTPKCS11.dll
2009-12-31 10:16:28 701792 ----a-w- c:\windows\system32\eToken.dll
2009-12-31 10:16:22 9056 ----a-w- c:\windows\system32\eTFS.dll
2009-12-31 10:16:20 10080 ----a-w- c:\windows\system32\eTCAPI.dll
2009-12-31 10:16:18 783712 ----a-w- c:\windows\system32\eTCoreInst.dll
2009-12-27 10:01:34 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-11-26 21:08:24 87608 ----a-w- c:\users\mike\appdata\roaming\inst.exe
2009-11-26 21:08:23 47360 ----a-w- c:\users\mike\appdata\roaming\pcouffin.sys
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
============= FINISH: 21:15:46.67 ===============
Hello Mike,
Thanks for your offer of a donation, all donations big or small just go to help keep us online . You can find the donate link on the very top right on this thread.
Just a couple of files I would like you to check for me.
You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
Go to VirusTotal (http://www.virustotal.com/) and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see.
C:\Windows\system32\conhost.exe
c:\windows\installer\{d58e955c-525b-4384-bc7b-12af586002fe}\_18be6784.exe
If the site is busy you can try this one
http://virusscan.jotti.org/en
mikepoet
2010-02-08, 19:15
Ken. Seems the redirector is back again (seems to open a new tab in firefox which goes to directdr.com.)
Have scanned the files that you wanted though and see below
Conhost.exe first
a-squared 4.5.0.50 2010.02.08 -
AhnLab-V3 5.0.0.2 2010.02.08 -
AntiVir 7.9.1.160 2010.02.07 -
Antiy-AVL 2.0.3.7 2010.02.05 -
Authentium 5.2.0.5 2010.02.07 -
Avast 4.8.1351.0 2010.02.08 -
AVG 9.0.0.730 2010.02.07 -
BitDefender 7.2 2010.02.08 -
CAT-QuickHeal 10.00 2010.02.08 -
ClamAV 0.96.0.0-git 2010.02.08 -
Comodo 3858 2010.02.08 -
DrWeb 5.0.1.12222 2010.02.08 -
eSafe 7.0.17.0 2010.02.07 -
eTrust-Vet 35.2.7286 2010.02.05 -
F-Prot 4.5.1.85 2010.02.07 -
F-Secure 9.0.15370.0 2010.02.08 -
Fortinet 4.0.14.0 2010.02.08 -
GData 19 2010.02.08 -
Ikarus T3.1.1.80.0 2010.02.08 -
Jiangmin 13.0.900 2010.02.07 -
K7AntiVirus 7.10.968 2010.02.06 -
Kaspersky 7.0.0.125 2010.02.08 -
McAfee 5885 2010.02.07 -
McAfee+Artemis 5885 2010.02.07 -
McAfee-GW-Edition 6.8.5 2010.02.07 Heuristic.LooksLike.Win32.Suspicious.I
Microsoft 1.5406 2010.02.07 -
NOD32 4846 2010.02.08 -
Norman 6.04.03 2010.02.07 -
nProtect 2009.1.8.0 2010.02.08 -
Panda 10.0.2.2 2010.02.07 -
PCTools 7.0.3.5 2010.02.07 -
Prevx 3.0 2010.02.08 -
Rising 22.34.00.01 2010.02.08 -
Sophos 4.50.0 2010.02.08 -
Sunbelt 3.2.1858.2 2010.02.07 -
TheHacker 6.5.1.1.183 2010.02.08 -
TrendMicro 9.120.0.1004 2010.02.08 -
VBA32 3.12.12.1 2010.02.05 -
ViRobot 2010.2.8.2175 2010.02.08 -
VirusBuster 5.0.21.0 2010.02.07 -
Additional information
File size: 271360 bytes
MD5 : 29d9fcdf65b7c823688a035937bb6697
SHA1 : 177e139755d2efe2ff447bf3b93b9b035e9be8ca
SHA256: 91722232861e35712b4c515247b23a942b908909118f1708dd97fd6cf37cc2fa
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x7B27
timedatestamp.....: 0x4A5BC271 (Tue Jul 14 01:25:37 2009)
machinetype.......: 0x14C (Intel I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x30CC8 0x30E00 6.64 72d7a979a99c0c393552bfcd6cbed6c2
FE_TEXT 0x32000 0x5322 0x5400 6.48 4efc3c5e7802ac598bb7f25021d55e02
.data 0x38000 0xF30 0x1000 0.55 58ace29510f35d68df7fd037bed78ffe
.rsrc 0x39000 0x86A8 0x8800 4.39 f238b59ba92fe628f404d90eba049230
.reloc 0x42000 0x2518 0x2600 6.73 c60d2df9ce12e7b614c3e6e8226ea892
( 9 imports )
> api_ms_win_core_localregistry_l1_1_0.dll: RegGetValueW
> gdi32.dll: DeleteDC, GetDIBits, BitBlt, GetObjectW, SelectObject, CreateCompatibleDC, CreateDIBitmap, PatBlt, InvertRgn, CombineRgn, CreateRectRgn, StretchDIBits, SelectPalette, CreateCompatibleBitmap, GdiFullscreenControl, GdiFlush, PolyPatBlt, GetStockObject, SetBkColor, SetTextColor, SetDCBrushColor, GetNearestColor, DeleteObject, GetTextExtentPoint32W, GetTextMetricsW, EnumFontFamiliesExW, CreateDCW, GetTextFaceW, SetFontEnumeration, GetDeviceCaps, GetRegionData, GetRgnBox, PolyTextOutW, GetCurrentObject, SetBkMode, RealizePalette, SetSystemPaletteUse, GetStringBitmapW, CreateSolidBrush, TranslateCharsetInfo, GetCharWidth32W, CreateBitmap, SetBitmapBits, GetBitmapBits, StretchBlt, CreateFontIndirectW, SetDIBitsToDevice
> imm32.dll: ImmGetCompositionStringW, ImmGetGuideLineW, ImmGetContext, ImmGetOpenStatus, ImmGetConversionStatus, ImmReleaseContext, ImmAssociateContextEx, ImmAssociateContext, ImmTranslateMessage, ImmNotifyIME, ImmGetProperty, ImmGetCandidateListW
> kernel32.dll: GetOEMCP, GlobalSize, GlobalUnlock, GetStringTypeW, CreateFileA, GetSystemDirectoryA, GetModuleHandleW, GetACP, CreateThread, InterlockedExchange, Sleep, InterlockedCompareExchange, GetStartupInfoA, SetUnhandledExceptionFilter, GetModuleHandleA, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GlobalFree, GlobalAlloc, InterlockedIncrement, InterlockedDecrement, GetVersionExW, VirtualProtect, lstrlenA, VirtualAlloc, GetSystemInfo, VirtualQuery, LocalAlloc, LocalFree, LocalReAlloc, LockResource, LoadResource, FindResourceExW, IsValidCodePage, GetCurrentProcessId, GetCurrentThreadId, GetLastError, CreateActCtxW, GetModuleFileNameW, SetEnvironmentVariableW, GetEnvironmentVariableW, CloseHandle, SetFilePointer, ReadFile, MultiByteToWideChar, FreeLibrary, LoadLibraryExW, ExpandEnvironmentStringsW, GetPrivateProfileStringW, CreateFileW, SetProcessShutdownParameters, GetProcAddress, LoadLibraryW, GetSystemDirectoryW, WideCharToMultiByte, GetCPInfo, lstrlenW, Beep, GetCurrentThread, GlobalLock
> msvcrt.dll: malloc, free, __set_app_type, _controlfp, _except_handler4_common, __p__fmode, __p__commode, __setusermatherr, _amsg_exit, _initterm, _acmdln, exit, _ismbblead, _XcptFilter, _exit, _cexit, __getmainargs, memcpy, _local_unwind4, _vsnwprintf, wcschr, wcsncmp, wcsrchr, memset, atoi, _itoa, memmove, _terminate@@YAXXZ
> ntdll.dll: RtlPrefixUnicodeString, RtlIntegerToUnicodeString, RtlUnicodeToMultiByteSize, RtlInitializeCriticalSectionAndSpinCount, RtlConsoleMultiByteToUnicodeN, RtlDosSearchPath_U, ShipAssert, RtlExitUserProcess, NtReplyWaitReceivePort, NtOpenDirectoryObject, NtCreatePort, RtlOpenCurrentUser, NtEnumerateValueKey, NtQueryValueKey, RtlCreateTagHeap, NtOpenKey, NtAcceptConnectPort, NtWaitForMultipleObjects, NtSetInformationProcess, RtlReAllocateHeap, RtlInitCodePageTable, RtlUnicodeToMultiByteN, RtlMultiByteToUnicodeN, RtlCustomCPToUnicodeN, RtlOemToUnicodeN, RtlUnicodeToOemN, RtlExitUserThread, RtlInitUnicodeString, RtlUnicodeStringToInteger, NtSetEvent, NtCreateEvent, NtDuplicateObject, NtClearEvent, RtlDeleteCriticalSection, RtlInitializeCriticalSection, NtOpenProcess, NtQueryInformationProcess, NtVdmControl, NtReleaseMutant, NtWaitForSingleObject, NtCreateMutant, NtUnmapViewOfSection, NtReadVirtualMemory, RtlEnterCriticalSection, RtlLeaveCriticalSection, NtReplyPort, RtlCompareUnicodeString, RtlSizeHeap, DbgPrintEx, RtlAllocateHeap, NtCreateSection, RtlFreeHeap, NtMapViewOfSection, NtClose, RtlGetCriticalSectionRecursionCount
> ole32.dll: CoUninitialize, CoCreateInstance, CoInitializeEx
> oleaut32.dll: -, -, -, -, -, -, -
> user32.dll: RegisterClassExW, SetProcessDPIAware, GetForegroundWindow, SetCursor, SendMessageTimeoutW, TrackPopupMenuEx, UnpackDDElParam, CreateIconFromResourceEx, ReuseDDElParam, CreateWindowExW, GetDC, GetSystemMenu, SetActiveWindow, LoadCursorW, KillTimer, ReleaseDC, DestroyWindow, GetKeyboardLayout, SetTimer, ScrollDC, SetScrollInfo, GetWindowRect, MonitorFromRect, MapWindowPoints, GetMonitorInfoW, GetClientRect, ClientToScreen, AdjustWindowRectEx, GetCaretBlinkTime, GetWindowTextW, SetWindowTextW, SetWindowPos, NotifyWinEvent, MapVirtualKeyW, VkKeyScanW, CloseClipboard, InvalidateRect, GetClipboardData, OpenClipboard, ReleaseCapture, LoadIconW, LoadImageW, EnumDisplaySettingsW, BeginPaint, DrawIcon, EndPaint, DefWindowProcW, IsIconic, EnableMenuItem, LoadMenuW, AppendMenuW, SetMenuItemInfoW, ShowWindow, MessageBoxW, GetKeyboardState, ToUnicodeEx, GetMessageW, DispatchMessageW, UnhookWindowsHookEx, RegisterWindowMessageW, SetWindowsHookExW, GetWindowLongW, SetCapture, SetClipboardData, EmptyClipboard, GetKeyState, PrivateExtractIconExW, EnterReaderModeHelper, TranslateMessageEx, ConsoleControl, GetWindowPlacement, SetWindowPlacement, SystemParametersInfoW, ActivateKeyboardLayout, GetKeyboardLayoutNameA, GetKeyboardLayoutNameW, CopyIcon, DestroyIcon, DialogBoxParamW, EndDialog, GetDlgItemTextW, IsDlgButtonChecked, SendNotifyMessageW, SetWindowLongW, SendDlgItemMessageW, CheckRadioButton, GetSystemMetrics, SendMessageW, PtInRect, ScreenToClient, PostMessageW, LoadStringW, GetCursorPos, WindowFromPoint
( 0 exports )
TrID : File type identification
Win 9x/ME Control Panel applet (31.8%)
Windows Screen Saver (26.8%)
Win32 Executable Generic (17.4%)
Win32 Dynamic Link Library (generic) (15.5%)
Generic Win/DOS Executable (4.1%)
ssdeep: 6144:egpoUV1sLP2DyJsTpOqFK0IsmI8sGXzhTrmeR0gdm:egeom2DyAFKfsmrRAo
PEiD : -
RDS : NSRL Reference Data Set
Next the 18be one (which I think is from Evolve. Some database software that I use)
File _18be6784.exe received on 2010.02.08 18:12:29 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 56 and 80 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.08 -
AhnLab-V3 5.0.0.2 2010.02.08 -
AntiVir 7.9.1.160 2010.02.08 -
Antiy-AVL 2.0.3.7 2010.02.08 -
Authentium 5.2.0.5 2010.02.08 -
Avast 4.8.1351.0 2010.02.08 -
AVG 9.0.0.730 2010.02.08 -
BitDefender 7.2 2010.02.08 -
CAT-QuickHeal 10.00 2010.02.08 -
ClamAV 0.96.0.0-git 2010.02.08 -
Comodo 3864 2010.02.08 -
DrWeb 5.0.1.12222 2010.02.08 -
eSafe 7.0.17.0 2010.02.07 -
eTrust-Vet 35.2.7290 2010.02.08 -
F-Prot 4.5.1.85 2010.02.08 -
F-Secure 9.0.15370.0 2010.02.08 -
Fortinet 4.0.14.0 2010.02.08 -
GData 19 2010.02.08 -
Ikarus T3.1.1.80.0 2010.02.08 -
Jiangmin 13.0.900 2010.02.08 -
K7AntiVirus 7.10.968 2010.02.06 -
Kaspersky 7.0.0.125 2010.02.08 -
McAfee 5886 2010.02.08 -
McAfee+Artemis 5886 2010.02.08 -
McAfee-GW-Edition 6.8.5 2010.02.08 -
Microsoft 1.5406 2010.02.08 -
NOD32 4849 2010.02.08 -
Norman 6.04.03 2010.02.08 -
nProtect 2009.1.8.0 2010.02.08 -
Panda 10.0.2.2 2010.02.07 -
PCTools 7.0.3.5 2010.02.08 -
Prevx 3.0 2010.02.08 -
Rising 22.34.00.04 2010.02.08 -
Sophos 4.50.0 2010.02.08 -
Sunbelt 3.2.1858.2 2010.02.07 -
TheHacker 6.5.1.1.183 2010.02.08 -
TrendMicro 9.120.0.1004 2010.02.08 -
VBA32 3.12.12.1 2010.02.08 -
ViRobot 2010.2.8.2176 2010.02.08 -
VirusBuster 5.0.21.0 2010.02.08 -
Additional information
File size: 766 bytes
MD5...: b5faeddb5c55ba1b13c513381c445006
SHA1..: 3fdf30015891aad3d09f73b8b943b28c2b5f6897
SHA256: 6db37b28c44dca1d9cad1ce0b31cf44a1c4f2102c3332c6e24aeeaeba21f4500
ssdeep: 6:xl+ijgFxa3Fxa3Fxa3Fxa3Fxa3Fxa3Fxa3Fxa3FxaraJaJaJapaW9aW9a7BX:j
+iMyyyyyyyyMFO
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Windows Icon (57.2%)
MPEG Video (42.7%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Lets run this tool and see what it finds
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1 (http://jpshortstuff.247fixes.com/GooredFix.exe)
Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe)
Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
mikepoet
2010-02-08, 19:58
Here we go
GooredFix by jpshortstuff (08.01.10.1)
Log created at 18:56 on 08/02/2010 (Mike)
Firefox version 3.5.7 (en-GB)
========== GooredScan ==========
========== GooredLog ==========
C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [22:06 14/11/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [19:19 02/02/2010]
C:\Users\Mike\Application Data\Mozilla\Firefox\Profiles\7w84jyqb.default\extensions\
en-GB@dictionaries.addons.mozilla.org [19:07 27/11/2009]
{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} [06:06 28/11/2009]
{4176DFF4-4698-11DE-BEEB-45DA55D89593} [19:38 27/01/2010]
{66E978CD-981F-47DF-AC42-E3CF417C1467} [20:02 19/01/2010]
{6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3} [06:12 28/11/2009]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [18:46 08/01/2010]
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(Key not found)
-=E.O.F=-
Mike,
Run this free online virus scanner
Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
mikepoet
2010-02-09, 05:05
Ken. notepad below. I still seem to be getting the new tab opening again in Firefox. ESET deleted 14 files in total.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
Mike,
I would like to see the log from ESET to see what has been removed
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
mikepoet
2010-02-10, 08:15
Ken
I ran combofix and it reset my computer and then just hung on the combofix screen all night. So I rebooted this morning and below is the HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:11:59, on 10/02/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\FCP Internet Ltd\Ensure\Ensure.exe
C:\Users\Mike\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\FCP Internet Ltd\Evolve\v5.0\Evolve.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [eTMonitor] "C:\Program Files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe"
O4 - HKCU\..\Run: [EPSON SX100 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIEDE.EXE /FU "C:\Windows\TEMP\E_S115E.tmp" /EF "HKCU"
O4 - Startup: Dropbox.lnk = Mike\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: evolve.lnk = C:\Program Files\FCP Internet Ltd\Evolve\v5.0\Evolve.exe
O4 - Global Startup: Ensure.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O13 - Gopher Prefix:
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Ensure Service (EnsureServ) - Unknown owner - C:\Program Files\FCP Internet Ltd\Ensure\EnsureServ.exe
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: ETOKSRV (eTSrv) - Aladdin Knowledge Systems, Ltd. - C:\Program Files\Aladdin\eToken\PKIClient\x32\eTSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8355 bytes
I am guessing that because combofix did not officially finish this is why I have not got a log for it.
Is there anything else aside from Avast that I need to disable before running combofix or is it a Windows 7 problem?
Mike
Mike,
C:\ComboFix.txt <--It should be here.
You should also be able to open ESET and find the log and post it
Hello Mike,
Combofix will run on Windows 7 32 bit and that looks like what you have, I never said anything because the other programs ran ok and thought maybe you where aware but with most programs in Vista and Windows 7 you should right click on it and select RUN AS ADMINISTRATOR
mikepoet
2010-02-11, 08:16
Ken
I have indeed been right clicking and running as administrator (even tried just double clicking in case that was the problem). Still no log. I shall run it today whilst I am out and let you know tonight if there is a difference.
In the ESET folder the only log that was there is posted above. I did run it twice so not sure if there is an archive for older logs?
Mike
mikepoet
2010-02-12, 08:47
Ken
So Combofix has been running for 24 hours now and not shutting off. It does seem to have killed something as I am now not getting redirected anywhere else.
What would you suggest as next/final steps.
Mike
CF should not have taken so long, is it still running ? You can find the log at C:\combofix.txt... Post it please