View Full Version : Virtumonde...and other problems!
justwayne
2010-04-25, 16:25
Hi,
I must confess that I have neglected my machine and didn't act quickly enough. My system has become incredibly slow to start (it takes up to 10 minutes to get to my homepage!), it stalls often, it freezes often and I get false warnings, which I suspect are due to FakeAlert. I was looking at the screen the other day as I was running Spybot and notices that a whole bunch of files containing the word "Virtumonde" were being scanned. I hope someone is nice enough to help me, if I promise to be more vigilent in the future!! Here's my first HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:46 AM, on 25/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioReader.exe /autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
--
End of file - 8567 bytes
Thanks!
Christian
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
Step # 1: Disable Teatimer
Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.
This is a two step process.
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Step # 2 Download and run DDS
Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Step # 3: Download and Run Gmer
Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
In your next post/reply, I need to see the following:
1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log
Use multiple posts if you can't fit everything into one post.
justwayne
2010-04-27, 21:03
Hello and thank you for taking the time to help me!
I will follow your instructions, but I have one quick and silly question first: should I avoid using my computer until this is resolved?! In other words, when I post the logs you asked for, should I do it from a different computer?
justwayne
2010-04-27, 21:09
Well, two more things, actually:
1-Do you also need a new HJT log, once I'm done?
2-I'm on XP and share my computer with someone, so we each have two users on it, with each his own preferences. I don't know if this is relevant, but thought I would let you know, in case.
Thanks!
justwayne
2010-04-28, 01:00
Hi,
Well, I was able to disable Teatimer. I then ran DDS and got the two logs. When I ran "Gmer", I got the Blue Screen of Death within 5 minutes. At the top, it said "Page_in_nonpages_area" and at the bottom, it said "STOP: 0x00000050......"
I am attaching the two DDS logs, as you requested:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Christian at 17:43:27.70 on 27/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.154 [GMT -5:00]
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Christian.CATSEYE2\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Zinio DLM] c:\program files\zinio\ZinioReader.exe /autostart
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-9 12552]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-20 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-9 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-9 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-9 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-10 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-10 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-8-9 1370488]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-8-9 29208]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-27 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-8-9 29208]
=============== Created Last 30 ================
==================== Find3M ====================
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 23:22:35 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-04 23:22:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 16:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2009-01-18 21:07:04 2198 -c--a-w- c:\program files\INSTALL.LOG
============= FINISH: 17:47:11.92 ===============
and:
DDS (Ver_10-03-17.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 09/08/2009 9:17:50 AM
System Uptime: 27/04/2010 5:26:01 PM (0 hours ago)
Motherboard: Dell Inc. | | 0M3918
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 71 GiB total, 4.427 GiB free.
D: is CDROM ()
E: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: TI Technologies Inc.
Description: RADEON X300 Series Secondary
Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_03031002&REV_00\4&166AB6CD&0&0108
Manufacturer: ATI Technologies Inc.
Name: RADEON X300 Series Secondary
PNP Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_03031002&REV_00\4&166AB6CD&0&0108
Service: ati2mtag
==== System Restore Points ===================
RP263: 31/03/2010 6:05:49 PM - System Checkpoint
RP264: 01/04/2010 6:25:26 AM - Software Distribution Service 3.0
RP265: 01/04/2010 4:46:59 PM - Software Distribution Service 3.0
RP266: 03/04/2010 4:01:48 PM - System Checkpoint
RP267: 04/04/2010 6:23:16 PM - System Checkpoint
RP268: 05/04/2010 7:01:19 PM - System Checkpoint
RP269: 06/04/2010 7:17:21 PM - System Checkpoint
RP270: 07/04/2010 7:46:20 PM - System Checkpoint
RP271: 08/04/2010 8:14:46 PM - System Checkpoint
RP272: 09/04/2010 10:25:17 PM - System Checkpoint
RP273: 10/04/2010 8:15:41 AM - Removed Bonjour
RP274: 11/04/2010 10:47:32 AM - System Checkpoint
RP275: 12/04/2010 12:48:54 PM - System Checkpoint
RP276: 13/04/2010 3:06:23 PM - System Checkpoint
RP277: 14/04/2010 7:23:32 AM - Software Distribution Service 3.0
RP278: 15/04/2010 7:47:25 AM - System Checkpoint
RP279: 15/04/2010 5:12:18 PM - Installed SUPERAntiSpyware Free Edition
RP280: 15/04/2010 7:48:37 PM - Removed SUPERAntiSpyware Free Edition
RP281: 16/04/2010 8:26:06 PM - System Checkpoint
RP282: 18/04/2010 4:44:00 PM - System Checkpoint
RP283: 19/04/2010 7:59:20 PM - System Checkpoint
RP284: 19/04/2010 7:37:58 PM - System Checkpoint
RP285: 20/04/2010 7:43:27 AM - Installed AVG 9.0
RP286: 21/04/2010 7:52:01 AM - System Checkpoint
RP287: 22/04/2010 8:23:34 AM - System Checkpoint
RP288: 23/04/2010 12:51:24 PM - System Checkpoint
RP289: 24/04/2010 5:48:24 PM - System Checkpoint
RP290: 26/04/2010 7:50:45 AM - System Checkpoint
RP291: 27/04/2010 8:09:19 AM - System Checkpoint
==== Installed Programs ======================
AAC Decoder
ACDSee Photo Manager 2009
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AutoUpdate
AVG 8.5
Bonjour
CCleaner
Conexant D850 56K V.9x DFVc Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
DivX Version Checker
Google Toolbar for Internet Explorer
Google Update Helper
H.264 Decoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel(R) PRO Network Adapters and Drivers
iTunes
Java Auto Updater
Java(TM) 6 Update 18
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Corporation
Microsoft LifeCam
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MKV Splitter
MSXML 6 Service Pack 2 (KB973686)
QuickTime
RealPlayer
RealUpgrade 1.0
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Skype web features
Skype™ 4.1
SoundMAX
Spybot - Search & Destroy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
VC80CRTRedist - 8.0.50727.4053
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Zinio Reader
I will follow your instructions, but I have one quick and silly question first: should I avoid using my computer until this is resolved?! In other words, when I post the logs you asked for, should I do it from a different computer?
The only silly question is the one not asked. :)
If you have access to a clean computer and a USB/Flash Drive (to transfer logs and programs back and forth), then you can use those to transfer programs and logs between the two computers. And then post the logs I ask for from the clean computer. I'll let you know when you need to do something directly on the infected computer, otherwise you can avoid using it (i.e. surfing the web on it).
1-Do you also need a new HJT log, once I'm done?
The DDS Log(s) I asked for give me a lot more information than a HJT log would. I see no need for a new HJT Log (at the moment), but I will be asking for new DDS Logs throughout the fix. :)
2-I'm on XP and share my computer with someone, so we each have two users on it, with each his own preferences. I don't know if this is relevant, but thought I would let you know, in case.
Thanks for letting me know. Are the problems you described in your first post only on your account? Or does it affect both accounts?
C: is FIXED (NTFS) - 71 GiB total, 4.427 GiB free.
The computer is extremely low on free space. You should go to Add/Remove Programs and uninstall any programs/games you no longer use/play. Also, if you have any music, movies, other files you no longer need you can either delete them or transfer them to a USB Drive or an External Hard Drive for storage.
Since GMER is giving you trouble, let's try another Rootkit Scanner in its place:
Step # 1 Download and run SysProt
Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).
http://sites.google.com/site/sysprotantirootkit/
Unzip it into a folder on your desktop.
Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items only:
Process
Kernel Modes
SSDT
Kernel Hooks
Hidden Files
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
justwayne
2010-04-28, 22:57
Hi!
Ok, I was able to run SysProt and here's the log below. By the way, you were asking if both accounts are affected by the problems; the answer is yes. I am working on clearing some old stuff to make some room on my computer. Thanks again. Here's the log:
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No
Name: System
PID: 4
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\smss.exe
PID: 844
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\csrss.exe
PID: 892
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\winlogon.exe
PID: 924
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 968
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\lsass.exe
PID: 988
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\ati2evxx.exe
PID: 1168
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1184
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1280
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1408
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1536
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 1656
Hidden: No
Window Visible: No
Name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PID: 1700
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\spoolsv.exe
PID: 1948
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 808
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 868
Hidden: No
Window Visible: No
Name: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
PID: 1060
Hidden: No
Window Visible: No
Name: C:\PROGRA~1\AVG\AVG8\avgfws8.exe
PID: 1208
Hidden: No
Window Visible: No
Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 1560
Hidden: No
Window Visible: No
Name: C:\PROGRA~1\AVG\AVG8\avgam.exe
PID: 224
Hidden: No
Window Visible: No
Name: C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PID: 384
Hidden: No
Window Visible: No
Name: C:\Program Files\AVG\AVG8\avgrsx.exe
PID: 336
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\svchost.exe
PID: 484
Hidden: No
Window Visible: No
Name: C:\PROGRA~1\AVG\AVG8\avgemc.exe
PID: 1428
Hidden: No
Window Visible: No
Name: C:\Program Files\AVG\AVG8\avgcsrvx.exe
PID: 2632
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\WBEM\unsecapp.exe
PID: 3040
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe
PID: 3064
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\alg.exe
PID: 3308
Hidden: No
Window Visible: No
Name: C:\Program Files\iPod\bin\iPodService.exe
PID: 604
Hidden: No
Window Visible: No
Name: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
PID: 944
Hidden: No
Window Visible: No
Name: C:\WINDOWS\explorer.exe
PID: 8004
Hidden: No
Window Visible: No
Name: C:\PROGRA~1\AVG\AVG8\avgtray.exe
PID: 1160
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 8000
Hidden: No
Window Visible: No
Name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PID: 2880
Hidden: No
Window Visible: No
Name: C:\Program Files\Analog Devices\Core\smax4pnp.exe
PID: 4912
Hidden: No
Window Visible: No
Name: C:\Program Files\iTunes\iTunesHelper.exe
PID: 1064
Hidden: No
Window Visible: No
Name: C:\WINDOWS\vVX3000.exe
PID: 5120
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Java\Java Update\jusched.exe
PID: 6212
Hidden: No
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\ctfmon.exe
PID: 212
Hidden: No
Window Visible: No
Name: C:\Program Files\Messenger\msmsgs.exe
PID: 6148
Hidden: No
Window Visible: No
Name: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID: 2952
Hidden: No
Window Visible: No
Name: C:\Documents and Settings\Christian.CATSEYE2\Desktop\SysProt.exe
PID: 4632
Hidden: No
Window Visible: Yes
Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No
Name: C:\WINDOWS\SYSTEM32\services.exe
PID: 4
Hidden: Yes
Window Visible: No
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Christian.CATSEYE2\Desktop\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: BA7CD000
Module End: BA7D8000
Hidden: No
Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No
Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No
Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F8B67000
Module End: F8B69000
Hidden: No
Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F8A77000
Module End: F8A7A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F8538000
Module End: F8566000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F8B69000
Module End: F8B6B000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F8527000
Module End: F8538000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F8667000
Module End: F8671000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F8C2F000
Module End: F8C30000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F88E7000
Module End: F88EE000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: F8B6B000
Module End: F8B6D000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F8677000
Module End: F8682000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F8508000
Module End: F8527000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F88EF000
Module End: F88F4000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F8687000
Module End: F8694000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F84F0000
Module End: F8508000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\cercsr6.sys
Service Name: cercsr6
Module Base: F88F7000
Module End: F88FF000
Hidden: No
Module Name: \WINDOWS\System32\Drivers\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: F84D8000
Module End: F84F0000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F8697000
Module End: F86A0000
Hidden: No
Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F86A7000
Module End: F86B4000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F84B8000
Module End: F84D8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F84A6000
Module End: F84B8000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Lbd.sys
Service Name: Lbd
Module Base: F86B7000
Module End: F86C6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F86C7000
Module End: F86D0000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F848F000
Module End: F84A6000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F8402000
Module End: F848F000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F83D5000
Module End: F8402000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F83BB000
Module End: F83D5000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\avgrkx86.sys
Service Name: AvgRkx86
Module Base: F8B6D000
Module End: F8B6F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F8837000
Module End: F8840000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: F81E5000
Module End: F8362000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F81D1000
Module End: F81E5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F89F7000
Module End: F89FD000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F81AD000
Module End: F81D1000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F89FF000
Module End: F8A07000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
Service Name: HSFHWBS2
Module Base: F8179000
Module End: F81AD000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F8156000
Module End: F8179000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
Service Name: HSF_DP
Module Base: F8057000
Module End: F8156000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Service Name: winachsf
Module Base: F7FB0000
Module End: F8057000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F8A07000
Module End: F8A0F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\e100b325.sys
Service Name: E100B
Module Base: F7F8A000
Module End: F7FB0000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\smwdm.sys
Service Name: smwdm
Module Base: F7F4A000
Module End: F7F8A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F7F26000
Module End: F7F4A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F8847000
Module End: F8856000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\senfilt.sys
Service Name: senfilt
Module Base: F7E73000
Module End: F7F26000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F7E5F000
Module End: F7E73000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F8857000
Module End: F8867000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F8B37000
Module End: F8B3B000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F8867000
Module End: F8877000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F8877000
Module End: F8886000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: F8A0F000
Module End: F8A15000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F8887000
Module End: F8892000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
Service Name: Avgfwdx
Module Base: F8A17000
Module End: F8A1D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F8CE4000
Module End: F8CE5000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F8897000
Module End: F88A4000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F8B47000
Module End: F8B4A000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F7E48000
Module End: F7E5F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F88A7000
Module End: F88B2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F88B7000
Module End: F88C3000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F8A1F000
Module End: F8A24000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F7E37000
Module End: F7E48000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F88C7000
Module End: F88D0000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F8A27000
Module End: F8A2C000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F8A2F000
Module End: F8A34000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F88D7000
Module End: F88E1000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F8A37000
Module End: F8A3D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F8A3F000
Module End: F8A45000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F8B93000
Module End: F8B95000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F7DD9000
Module End: F7E37000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F8B4F000
Module End: F8B53000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F8707000
Module End: F8711000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F8717000
Module End: F8726000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F8B95000
Module End: F8B97000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Service Name: MODEMCSA
Module Base: F837A000
Module End: F837E000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F8B99000
Module End: F8B9B000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F8B9B000
Module End: F8B9D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F8A5F000
Module End: F8A66000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F8A67000
Module End: F8A6D000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F8B9D000
Module End: F8B9F000
Hidden: No
Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F8B9F000
Module End: F8BA1000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F8907000
Module End: F890F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F8362000
Module End: F8365000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: EFA8F000
Module End: EFAA2000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: EFA36000
Module End: EFA8F000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\avgtdix.sys
Service Name: AvgTdiX
Module Base: EFA1D000
Module End: EFA36000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: EF9F7000
Module End: EFA1D000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: EF9CF000
Module End: EF9F7000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F8747000
Module End: F8750000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Service Name: WS2IFSL
Module Base: F8B13000
Module End: F8B16000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: EF9AD000
Module End: EF9CF000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F8757000
Module End: F8760000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: EF982000
Module End: EF9AD000
Hidden: No
Module Name: C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
Service Name: OMCI
Module Base: F8B1B000
Module End: F8B1F000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: EF8EA000
Module End: EF95A000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F8777000
Module End: F8782000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: F891F000
Module End: F8927000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Service Name: AvgMfx86
Module Base: F8927000
Module End: F892D000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys
Service Name: AvgLdx86
Module Base: EF899000
Module End: EF8EA000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: hidusb
Module Base: F8B2B000
Module End: F8B2E000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F87A7000
Module End: F87B0000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\VX3000.sys
Service Name: VX3000
Module Base: EF61B000
Module End: EF7F9000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\STREAM.SYS
Service Name: ---
Module Base: F87B7000
Module End: F87C4000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\usbaudio.sys
Service Name: usbaudio
Module Base: F87C7000
Module End: F87D6000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: F8B2F000
Module End: F8B32000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: F7DC9000
Module End: F7DCD000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: F8807000
Module End: F8817000
Hidden: No
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EF0BF000
Module End: EF0D7000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F8BB9000
Module End: F8BBB000
Hidden: Yes
Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: EFCCD000
Module End: EFCD0000
Hidden: No
Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F8947000
Module End: F894C000
Hidden: No
Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F8D53000
Module End: F8D54000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: ECFBB000
Module End: ECFBF000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: ECC5A000
Module End: ECC87000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: ECA66000
Module End: ECA69000
Hidden: No
Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: EC9D3000
Module End: ECA2A000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: EC766000
Module End: EC77B000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: EC7DB000
Module End: EC7EA000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\TDTCP.SYS
Service Name: TDTCP
Module Base: F89E7000
Module End: F89ED000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\RDPWD.SYS
Service Name: RDPWD
Module Base: EC515000
Module End: EC538000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: EC0AE000
Module End: EC0EF000
Hidden: No
Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: B9783000
Module End: B97AE000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: B975F000
Module End: B9783000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F8BF9000
Module End: F8BFB000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F8D42000
Module End: F8D43000
Hidden: No
Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F8A6F000
Module End: F8A74000
Hidden: No
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: F86B787E
Driver Base: F86B7000
Driver End: F86C6000
Driver Name: Lbd.sys
Function Name: ZwSetValueKey
Address: F86B7BFE
Driver Base: F86B7000
Driver End: F86C6000
Driver Name: Lbd.sys
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Altino\Favorites\New Folder\Altino`s Links\Links\Karisik çizgi romanlar - Sayfa 19 - Forumuz.biz.url
Status: Hidden
Object: C:\Documents and Settings\Altino\Favorites\New Folder\Çizgi Roman Istekleri - Sayfa 43 - Forumuz.biz.url
Status: Hidden
Object: C:\Documents and Settings\Altino\Favorites\New Folder\Çizgiroman Dagitim - Sayfa 14 - Forumuz.biz.url
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Favorites\Altino`s Links\Links\Karisik çizgi romanlar - Sayfa 19 - Forumuz.biz.url
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Favorites\Çizgi Roman Istekleri - Sayfa 43 - Forumuz.biz.url
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Favorites\Çizgiroman Dagitim - Sayfa 14 - Forumuz.biz.url
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\2FMG9Q5S\PagePos=1&adtype=PROMO_TEXT&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RECIPE_33782_1&SE
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\2FMG9Q5S\PagePos=2&adtype=GOOGLE&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RECIPE_33782_1&SECTIO
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\2FMG9Q5S\PagePos=5&show=TU&topic1=RECIPE_CONTENT&chef=TYLER_FLORENCE&ingredient=FRUIT&ingredient=POTATOES&interest=EASY&mealpart=DINNER&mealpart=
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\5TYVE1LX\adtype=LEADERBOARD&adsize=468x60&PagePos=1&SUBSECTION=SHOW_TU&vgncontent=SHOWS_A_TO_Z&category=TV&site=FOOD&tile=227484268110228&ord=902
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\5TYVE1LX\adtype=PRESTITIAL&PagePos=1&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RECIPE_33782_1&SE
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\5TYVE1LX\adtype=RECIPE_TOOLBAR&PagePos=1&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RECIPE_33782_
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\5TYVE1LX\adtype=SUPERSTITIAL&PagePos=1&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RECIPE_33782_1&
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\5TYVE1LX\adtype=SUPERSTITIAL&PagePos=2&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RECIPE_33782_1&
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\5TYVE1LX\adtype=SUPERSTITIAL&PagePos=3&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RECIPE_33782_1&
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\5TYVE1LX\PagePos=1&adtype=BASEBOARD&show=TU&topic1=RECIPE_CONTENT&chef=TYLER_FLORENCE&ingredient=FRUIT&ingredient=POTATOES&interest=EASY&mealpart
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\8U9ZA9DI\0x600&PagePos=1&SUBSECTION=SHOW_TU&vgncontent=SHOWS_A_TO_Z&category=TV&site=FOOD&tile=227484268110228&ord=902225656&pagetype=EPISODE&uni
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\8U9ZA9DI\adtype=LEADERBOARD&adsize=468x60&PagePos=1&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RE
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\8U9ZA9DI\adtype=SUPERSTITIAL&PagePos=1&SUBSECTION=SHOW_TU&vgncontent=SHOWS_A_TO_Z&category=TV&site=FOOD&tile=227484268110228&ord=902225656&pagety
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\8U9ZA9DI\adtype=SUPERSTITIAL&PagePos=2&SUBSECTION=SHOW_TU&vgncontent=SHOWS_A_TO_Z&category=TV&site=FOOD&tile=227484268110228&ord=902225656&pagety
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\K9CHMAC8\adtype=PRESTITIAL&PagePos=1&SUBSECTION=SHOW_TU&vgncontent=SHOWS_A_TO_Z&category=TV&site=FOOD&tile=227484268110228&ord=902225656&pagetype
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\K9CHMAC8\adtype=SUPERSTITIAL&PagePos=3&SUBSECTION=SHOW_TU&vgncontent=SHOWS_A_TO_Z&category=TV&site=FOOD&tile=227484268110228&ord=902225656&pagety
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Local Settings\Temp\Temporary Internet Files\Content.IE5\K9CHMAC8\PagePos=1&topic1=TYLER_FLORENCE&category=RECIPES&site=FOOD&tile=13264352199936&ord=902247562&pagetype=RECIPE&uniqueid=FOOD_RECIPE_33782_
Status: Hidden
Object: C:\Documents and Settings\Altino\My Documents\Altino\Recent\Bossa NnRoses.lnk
Status: Hidden
Object: C:\Documents and Settings\Altino.CATSEYE2\Local Settings\Temporary Internet Files\Content.IE5\9X1YRZTY\Final Crisis
Status: Hidden
Object: C:\Documents and Settings\Christian\Desktop\Altino's favorites\Altino`s Links\Links\Karisik çizgi romanlar - Sayfa 19 - Forumuz.biz.url
Status: Hidden
Object: C:\Documents and Settings\Christian\Desktop\Altino's favorites\Çizgi Roman Istekleri - Sayfa 43 - Forumuz.biz.url
Status: Hidden
Object: C:\Documents and Settings\Christian\Desktop\Altino's favorites\Çizgiroman Dagitim - Sayfa 14 - Forumuz.biz.url
Status: Hidden
Object: C:\Documents and Settings\Christian\My Documents\Christian\Desktop\RE_ Yvon et Phalla...
Status: Hidden
Object: C:\Documents and Settings\Christian\My Documents\Christian\Local Settings\Temporary Internet Files\Content.IE5\012NSXAR\RE_ Yvon et Phalla...
Status: Hidden
Object: C:\Documents and Settings\Christian\My Documents\Christian\Local Settings\Temporary Internet Files\Content.IE5\2LMNA3G9\RE _ Sur la question des cadeaux de Noël...
Status: Hidden
Object: C:\Documents and Settings\Christian\My Documents\Christian\Local Settings\Temporary Internet Files\Content.IE5\EFQJAD6R\RE _ Sur la question des cadeaux de Noël...
Status: Hidden
Object: C:\Documents and Settings\Christian\My Documents\Christian\Local Settings\Temporary Internet Files\Content.IE5\O1EFODI3\Délai...
Status: Hidden
Object: C:\Documents and Settings\Christian\My Documents\Christian\Local Settings\Temporary Internet Files\Content.IE5\O1EFODI3\RE_ oui, le message se rend...
Status: Hidden
Object: C:\Documents and Settings\Christian\My Documents\Christian\Local Settings\Temporary Internet Files\Content.IE5\QVEJUP2J\RE _ Sur la question des cadeaux de Noël...
Status: Hidden
Object: C:\Documents and Settings\Christian\My Documents\Christian\Local Settings\Temporary Internet Files\Content.IE5\YER48X15\RE _ Sur la question des cadeaux de Noël...
Status: Hidden
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
Object: C:\System Volume Information\_restore{02F8B483-2966-472B-A12B-0937551E341B}
Status: Access denied
Object: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}
Status: Access denied
Object: C:\System Volume Information\_restore{98054201-3FC1-48C4-AF21-5943FE809E52}
Status: Access denied
Object: C:\System Volume Information\_restore{9F47AE68-40F3-4B6C-8F59-1D7184167832}
Status: Access denied
By the way, you were asking if both accounts are affected by the problems; the answer is yes.
Ok. Once we're finished working on your account and if the other account still has problems, we'll work on that account. :) When/if the time comes, we'll continue in this thread, no need to start a new one.
Step # 1: Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.
justwayne
2010-04-30, 00:53
Hi, here're the ComboFix log:
ComboFix 10-04-29.01 - Christian 29/04/2010 17:06:48.1.2 - x86
Running from: c:\documents and settings\Christian.CATSEYE2\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Altino\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\Altino\System
c:\documents and settings\Altino\System\win_qs8.jqx
c:\documents and settings\Christian\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\Christian\System
c:\documents and settings\Christian\System\win_qs8.jqx
c:\program files\INSTALL.LOG
c:\recycler\S-1-5-21-1292428093-776561741-682003330-1005
c:\recycler\S-1-5-21-1292428093-776561741-682003330-1006
c:\recycler\S-1-5-21-1915440068-4218434781-2478028672-1006
c:\recycler\S-1-5-21-1915440068-4218434781-2478028672-1007
c:\recycler\S-1-5-21-1915440068-4218434781-2478028672-500
c:\recycler\S-1-5-21-4122468611-1368610669-1466313096-1138
c:\windows\system32\vos
C:\xcrashdump.dat
.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.
2010-04-25 03:32 . 2010-04-25 03:32 -------- d-----w- c:\documents and settings\Altino.CATSEYE2\Application Data\Malwarebytes
2010-04-24 21:21 . 2010-04-24 21:21 -------- d-----w- c:\documents and settings\Christian.CATSEYE2\Application Data\Malwarebytes
2010-04-24 21:18 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-24 21:16 . 2010-04-24 21:16 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-04-24 21:16 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 00:31 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-21 00:30 . 2010-04-21 00:30 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-21 00:24 . 2010-04-21 00:25 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-15 22:14 . 2010-04-15 22:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-04-09 17:34 . 2001-08-17 18:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-04-09 17:34 . 2001-08-17 18:57 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys
2010-03-31 19:37 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-03-31 19:36 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-03-31 19:36 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-03-31 19:36 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-03-31 01:04 . 2004-08-04 10:00 221184 ----a-w- c:\windows\system32\wmpns.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 22:15 . 2009-08-15 01:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-04-25 21:40 . 2010-02-02 00:03 -------- d-----w- c:\documents and settings\Christian.CATSEYE2\Application Data\Skype
2010-04-25 21:24 . 2010-02-02 00:08 -------- d-----w- c:\documents and settings\Christian.CATSEYE2\Application Data\skypePM
2010-04-24 21:20 . 2008-08-31 13:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-21 00:25 . 2005-05-18 11:18 -------- d-----w- c:\program files\Lavasoft
2010-04-21 00:22 . 2009-08-15 01:49 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2010-04-20 12:37 . 2009-01-10 19:27 -------- d-----w- c:\program files\AVG
2010-04-17 14:10 . 2009-08-26 05:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-16 13:14 . 2010-02-03 07:39 265056 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-16 00:51 . 2008-08-26 10:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-16 00:51 . 2009-02-09 21:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-15 00:05 . 2009-08-15 02:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2010-04-11 04:09 . 2009-08-10 05:22 13104 -c--a-w- c:\documents and settings\Altino.CATSEYE2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-30 23:48 . 2009-08-09 14:13 77423 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2010-03-30 11:42 . 2009-10-25 15:02 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVG Security Toolbar
2010-03-14 15:18 . 2009-02-06 22:40 -------- d-----w- c:\program files\CCleaner
2010-03-12 01:14 . 2005-04-05 12:05 -------- d-----w- c:\program files\Common Files\Java
2010-03-12 01:11 . 2005-04-05 12:05 -------- d-----w- c:\program files\Java
2010-03-11 01:46 . 2009-10-25 14:52 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Temp
2010-03-10 06:15 . 2004-08-04 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 05:04 . 2005-05-08 17:51 -------- d-----w- c:\program files\DivX
2010-03-05 05:02 . 2009-08-16 17:20 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-04 23:24 . 2005-04-05 12:08 -------- d-----w- c:\program files\Real
2010-03-04 23:22 . 2010-03-04 23:22 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-04 23:22 . 2010-03-04 23:22 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-25 06:24 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-03-30 01:21 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-30 01:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 10:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 10:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-07 15:08 . 2009-08-15 14:54 12328 -c--a-w- c:\documents and settings\Christian.CATSEYE2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-02 00:08 . 2010-02-02 00:08 56 ---ha-w- c:\windows\system32\ezsidmv.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:02 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-16 68856]
"Zinio DLM"="c:\program files\Zinio\ZinioReader.exe" [2009-07-21 2707526]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-18 2046816]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-09 122368]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-04 202256]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"VX3000"="c:\windows\vVX3000.exe" [2009-07-24 762208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-10 13:31 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avgfws8"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"7957:TCP"= 7957:TCP:Services
"7958:TCP"= 7958:TCP:Services
"3071:TCP"= 3071:TCP:Services
"4642:TCP"= 4642:TCP:Services
"2338:TCP"= 2338:TCP:Services
"3176:TCP"= 3176:TCP:Services
"1666:TCP"= 1666:TCP:Services
"1832:TCP"= 1832:TCP:Services
R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [09/08/2009 1:08 PM 12552]
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [20/04/2010 7:31 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [09/08/2009 1:08 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [09/08/2009 1:08 PM 108552]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 10:52 AM 1265264]
R3 Avgfwdx;Avgfwdx;c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys [09/08/2009 1:07 PM 29208]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27/01/2010 8:31 AM 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\SYSTEM32\DRIVERS\avgfwdx.sys [09/08/2009 1:07 PM 29208]
S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/01/2009 2:27 PM 908056]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/01/2009 2:27 PM 297752]
S4 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [09/08/2009 1:07 PM 1370488]
.
Contents of the 'Scheduled Tasks' folder
2010-04-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:30]
2010-04-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 13:28]
2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 13:28]
2010-04-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-57989841-1592454029-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]
2010-04-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-57989841-1592454029-725345543-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]
2010-04-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-57989841-1592454029-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]
2010-04-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-57989841-1592454029-725345543-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-29 17:38
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x82D4C6D8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf86abf28
\Driver\ACPI -> ACPI.sys @ 0xf853ecb8
\Driver\atapi -> 0x82d4c6d8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x829008f0
PacketIndicateHandler -> NDIS.sys @ 0xf83f7a21
SendHandler -> NDIS.sys @ 0xf83d587b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
**************************************************************************
.
Completion time: 2010-04-29 17:52:10
ComboFix-quarantined-files.txt 2010-04-29 22:52
Pre-Run: 3,506,909,184 bytes free
Post-Run: 13,486,489,600 bytes free
- - End Of File - - 048380970F3D4D112A04634118D72BF0
Everything went well, I guess. I am not sure I was able to disable AVG, as required, as showed a message at the beginning of the scan telling me it was still active!
I appreciate your help. This scan actually cleared almost 10 GB off! I should menion that two yearsago, I had to do a Repair Install and I think I might have installed a second copy of XP on this computer by accident!
Thanks again!
To disable AVG 8.5, you can follow the instructions located at the website below:
http://www.avg.com/us-en/faq?num=1209
Do you or other person using the computer recognize the following files/links?
C:\Documents and Settings\Altino\Favorites\New Folder\Altino`s Links\Links\Karisik çizgi romanlar - Sayfa 19 - Forumuz.biz.url
C:\Documents and Settings\Altino\Favorites\New Folder\Çizgi Roman Istekleri - Sayfa 43 - Forumuz.biz.url
C:\Documents and Settings\Altino\Favorites\New Folder\Çizgiroman Dagitim - Sayfa 14 - Forumuz.biz.url
C:\Documents and Settings\Altino\My Documents\Altino\Favorites\Altino`s Links\Links\Karisik çizgi romanlar - Sayfa 19 - Forumuz.biz.url
C:\Documents and Settings\Altino\My Documents\Altino\Favorites\Çizgi Roman Istekleri - Sayfa 43 - Forumuz.biz.url
C:\Documents and Settings\Altino\My Documents\Altino\Favorites\Çizgiroman Dagitim - Sayfa 14 - Forumuz.biz.url
C:\Documents and Settings\Altino\My Documents\Altino\Recent\Bossa NnRoses.lnk
C:\Documents and Settings\Christian\Desktop\Altino's favorites\Altino`s Links\Links\Karisik çizgi romanlar - Sayfa 19 - Forumuz.biz.url
C:\Documents and Settings\Christian\Desktop\Altino's favorites\Çizgi Roman Istekleri - Sayfa 43 - Forumuz.biz.url
C:\Documents and Settings\Christian\Desktop\Altino's favorites\Çizgiroman Dagitim - Sayfa 14 - Forumuz.biz.url
C:\Documents and Settings\Christian\My Documents\Christian\Desktop\RE_ Yvon et Phalla...
Did you or the other account user open/recognize the following ports?
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"7957:TCP"= 7957:TCP:Services
"7958:TCP"= 7958:TCP:Services
"3071:TCP"= 3071:TCP:Services
"4642:TCP"= 4642:TCP:Services
"2338:TCP"= 2338:TCP:Services
"3176:TCP"= 3176:TCP:Services
"1666:TCP"= 1666:TCP:Services
"1832:TCP"= 1832:TCP:Services
Upload Files
Go to Jotti (http://virusscan.jotti.org)
Copy the following line into the white textbox:
c:\windows\system32\ezsidmv.dat
Click Submit.
Please post the results of this scan to this thread.
If Jotti is busy, Go to VirusTotal (http://www.virustotal.com/en/indexf.html) and scan the file(s) there.
Please run the following:
Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
Extract TDSSKiller.exe to your Desktop.
Run TDSSKiller.exe. You may be prompted to restart your machine. Type Y at the prompt
Once complete, a log will be produced at root. It will be named
UtilityName.Version_Date_Time_log.txt.
for example, C:\TDSSKiller.2.2.0_27.1.2010_15.31.43_log.txt.
If TDSSKiller does not reboot your computer, please reboot it.
Once it has booted back up, do the following:
Run Batchfile
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the codebox to Notepad. Save it as "All Files" and name it mbrlog.bat Please save it on your desktop.
@echo off
mbr.exe -t
start mbr.log
del %0
Double click mbrlog.bat. A window will open and close. This is normal.
In your next post/reply, I need to see the following:
1. Answers to my questions about the files/links and the open firewall ports.
2. The Jotti/Virustotal Results
3. The TDSSKiller Log
4. The mbrlog.bat Log/Results
justwayne
2010-04-30, 23:16
Hi!
First off, in response to your question: we know what those files/links are and use them frequently,except for the last one (which was an old email I had saved to my desktop a long time ago, I think) and the one that reads "BossaNnRoses", which is an old music file from years ago! Those two files are not important. As for the ports, we have no clue what they are or what they do!
Now, about the logs: I was successful with the VirusTotal one, although it didn't give the option of saving a log. I copied it to the note pad and will attach it here at the end of my paragraph. The second one gave me a hard time. I was simply unable to run the file! I tried everything, downloaded i a second time and it still does nothing. It dosn't open or anything! Hopefully, I did the right thing by moving on. I was able to save the mbrlog.bat log.
So here are two of the three logs requested:
File ezsidmv.dat received on 2010.04.30 20:43:47 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.04.30 -
AhnLab-V3 2010.04.30.02 2010.04.30 -
AntiVir 8.2.1.224 2010.04.30 -
Antiy-AVL 2.0.3.7 2010.04.30 -
Authentium 5.2.0.5 2010.04.30 -
Avast 4.8.1351.0 2010.04.30 -
Avast5 5.0.332.0 2010.04.30 -
AVG 9.0.0.787 2010.04.30 -
BitDefender 7.2 2010.04.30 -
CAT-QuickHeal 10.00 2010.04.29 -
ClamAV 0.96.0.3-git 2010.04.30 -
Comodo 4721 2010.04.30 -
DrWeb 5.0.2.03300 2010.04.30 -
eSafe 7.0.17.0 2010.04.29 -
eTrust-Vet 35.2.7462 2010.04.30 -
F-Prot 4.5.1.85 2010.04.30 -
F-Secure 9.0.15370.0 2010.04.30 -
Fortinet 4.0.14.0 2010.04.30 -
GData 21 2010.04.30 -
Ikarus T3.1.1.80.0 2010.04.30 -
Jiangmin 13.0.900 2010.04.29 -
Kaspersky 7.0.0.125 2010.04.30 -
McAfee 5.400.0.1158 2010.04.30 -
McAfee-GW-Edition 6.8.5 2010.04.30 -
Microsoft 1.5703 2010.04.30 -
NOD32 5076 2010.04.30 -
Norman 6.04.12 2010.04.30 -
nProtect 2010-04-30.01 2010.04.30 -
Panda 10.0.2.7 2010.04.30 -
PCTools 7.0.3.5 2010.04.30 -
Prevx 3.0 2010.04.30 -
Rising 22.45.04.03 2010.04.30 -
Sophos 4.53.0 2010.04.30 -
Sunbelt 6242 2010.04.30 -
Symantec 20091.2.0.41 2010.04.30 -
TheHacker 6.5.2.0.274 2010.04.30 -
TrendMicro 9.120.0.1004 2010.04.30 -
TrendMicro-HouseCall 9.120.0.1004 2010.04.30 -
VBA32 3.12.12.4 2010.04.30 -
ViRobot 2010.4.30.2297 2010.04.30 -
VirusBuster 5.0.27.0 2010.04.30 -
Additional information
File size: 56 bytes
MD5...: a02aaf0f1779e3395d94b346b477c858
SHA1..: 2ed5eec2a37357689fd37e787916d67502434c7d
SHA256: 65a4d998672e09f4995307d7b9e0a3fc7dc30425469b916a5f14b265fc827690
ssdeep: 3:pfCAnY/rg1CSupwCsftDn:pfCA4U1buelftD<BR>
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: Unknown!
sigcheck:<BR>publisher....: n/a<BR>copyright....: n/a<BR>product......: n/a<BR>description..: n/a<BR>original name: n/a<BR>internal name: n/a<BR>file version.: n/a<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>
And:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82D601A0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x82d601a0
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x828e78f0
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
Looking forward to reading your next instructions! Thanks!
except for the last one (which was an old email I had saved to my desktop a long time ago, I think) and the one that reads "BossaNnRoses", which is an old music file from years ago! Those two files are not important.
If you no longer use/need those files you can go ahead and delete them. :)
Step # 1: Download and Run HAMeb_Check by noahdfear.
Download and run HAMeb_check.exe (http://noahdfear.net/downloads/HAMeb_check.exe)
Post the contents of the resulting log.
Step # 2 Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:filefind
atapi.sys
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
Step # 3 Download and Run Maxlook by noahdfear.
You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.
How to install and use the Windows XP Recovery Console (http://www.bleepingcomputer.com/tutorials/tutorial117.html)
If you do not have Recovery Console installed, let me know and do not go any further with this step.
Next, please download maxlook (http://noahdfear.net/downloads/maxlook.exe), saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C
batch look.bat
http://noahdfear.net/WTT/lookXP.gif
You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Once back in Windows, go to Start > Run, and copy/paste the following then press Enter.
maxlook -sig
Follow the prompts, and post the log produced, C:\looklog.txt
In your next post/reply, I need to see the following:
1. The HAMeb_check Log
2. The SystemLook Log
3. The Maxlook Log
justwayne
2010-05-01, 02:40
Hi,
I was able to get the first two logs. As for the third thing you need me to run, how do I know whether I have the recovery console installed or not? I think I do, but am not sure. In fact, if I'm not mistaking, you asked me to run something the other day that prompted an auto-install of the console, which was successful. Is there an easy way to find out? I hope I don't have to hunt around for the install cd, because I bought this computer with XP already installed and had to fight with Dell's Customer Service for them to send me some kind of back up! All they sent me was 3-4 disks containing backup for this and that and to repair or reinstall Windows. I don't remember seeing the recovery console on one of them, but I could be wrong.
in any case, I am posting the first two logs as requested. By the way, can you tell me your first impressions on the situation? I keep seeing the word "infected" in those logs, but what is the infection? Just a trojan?
C:\Documents and Settings\Christian.CATSEYE2\Local Settings\Temporary Internet Files\Content.IE5\IGCKVC2N\HAMeb_check[1].exe
30/04/2010 at 19:57:53.34
Account active Yes
Local Group Memberships *Administrators
~~ Checking profile list ~~
S-1-5-21-57989841-1592454029-725345543-1000
%SystemDrive%\Documents and Settings\HelpAssistant
~~ Checking for HelpAssistant directories ~~
HelpAssistant
~~ Checking mbr ~~
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x829CE770]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x829ce770
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x828dd8f0
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
~~ Checking for termsrv32.dll ~~
termsrv32.dll present!
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll
~~ Checking firewall ports ~~
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3246:TCP"=3246:TCP:*:Enabled:Services
"2479:TCP"=2479:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"7957:TCP"=7957:TCP:*:Enabled:Services
"7958:TCP"=7958:TCP:*:Enabled:Services
"3071:TCP"=3071:TCP:*:Enabled:Services
"4642:TCP"=4642:TCP:*:Enabled:Services
"2338:TCP"=2338:TCP:*:Enabled:Services
"3176:TCP"=3176:TCP:*:Enabled:Services
"1666:TCP"=1666:TCP:*:Enabled:Services
"1832:TCP"=1832:TCP:*:Enabled:Services
"2898:TCP"=2898:TCP:*:Enabled:Services
"4296:TCP"=4296:TCP:*:Enabled:Services
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3246:TCP"=3246:TCP:*:Enabled:Services
"2479:TCP"=2479:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"7957:TCP"=7957:TCP:*:Enabled:Services
"7958:TCP"=7958:TCP:*:Enabled:Services
"3071:TCP"=3071:TCP:*:Enabled:Services
"4642:TCP"=4642:TCP:*:Enabled:Services
"2338:TCP"=2338:TCP:*:Enabled:Services
"3176:TCP"=3176:TCP:*:Enabled:Services
"1666:TCP"=1666:TCP:*:Enabled:Services
"1832:TCP"=1832:TCP:*:Enabled:Services
"2898:TCP"=2898:TCP:*:Enabled:Services
"4296:TCP"=4296:TCP:*:Enabled:Services
~~ EOF ~~
AND:
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:59 on 30/04/2010 by Christian (Administrator - Elevation successful)
========== filefind ==========
Searching for "atapi.sys"
C:\I386\atapi.sys --a--c 95360 bytes [00:08 15/04/2005] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [23:21 30/03/2010] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [22:47 29/04/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [18:40 13/04/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys --a--- 96512 bytes [10:00 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SYSTEM32\ReinstallBackups\0036\DriverFiles\i386\atapi.sys --a--c 95360 bytes [16:38 09/08/2009] [10:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\SYSTEM32\ReinstallBackups\0044\DriverFiles\i386\atapi.sys --a--c 95360 bytes [16:38 09/08/2009] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
-=End Of File=-
I was able to get the first two logs. As for the third thing you need me to run, how do I know whether I have the recovery console installed or not?
When you start the computer, do you see a screen that let's you select between Windows XP and Recovery Console? If you do, then you have Recovery Console installed. :) When that screen comes up, press the up or down arrow and select Recovery Console before the time runs out. If you do see this screen and do have the Recovery Console, go ahead and do Step #3 of my previous post.
if I'm not mistaking, you asked me to run something the other day that prompted an auto-install of the console, which was successful.
That was ComboFix. :)
in any case, I am posting the first two logs as requested. By the way, can you tell me your first impressions on the situation? I keep seeing the word "infected" in those logs, but what is the infection? Just a trojan?
What I'm seeing from the logs, particularly the HAMbcheck Log is that you have the HelpAssistant infection/virus. This virus opens up bad firewall ports, slows your computer down, create a HelpAssistant directory in Documents and Settings folder which can fill up quickly and use your Hard Drive space and and it can infect the master boot record.
justwayne
2010-05-02, 15:29
Hello,
I'm stuck! I did find the recovery console and ran Maxlook. I restarted my computer, copied/paster maxlook -sig. The next thing that popped up was the .exe file prompting me to run the application! Of course, since I was warned not to run Maxlook more than once, I didn't!
So as a result, I don't have a log!! Did I do something wrong?:confused:
Let's try it again, step by step.
First, boot up your computer into Normal Mode and once your computer loads, go to Start > Run, and copy/paste the following into the Run box then press Enter.
maxlook -cleanup
Once that is done, still in normal mode, double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Once in Recovery Console, Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C
batch look.bat
http://noahdfear.net/WTT/lookXP.gif
You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Once back in Normal Mode, go to Start > Run, and copy/paste the following into the Run box then press Enter.
maxlook -sig
Follow the prompts, and post the log produced, C:\looklog.txt
justwayne
2010-05-02, 20:47
Well, I don't know why, but it simply dosn't work. I followed your instructions to the letter. The cleanup file ran and then in the window, it said "press any key to continue", which I did and then the box disappeared. I never saw a message that prompted me to restart my computer. So I did restart it and went to the recovery console, entered the "batch look.bat" command, only this time, it says something to the effect of "file not found"! I wa really careful, read everything several times, step by step and double-checked the spelling and everything. What can I do! (I wish you were my next door neighbour, it would be easier!!!)
Its no problem, we'll try again. :)
Did you have maxlook.exe on your computer after running maxlook -cleanup or was it gone? If it was gone, I think what happened was when you ran maxlook -cleanup, it deleted maxlook.exe and look.bat files. My fault for not having you redownload maxlook.exe again. Let's do this again.
First, please download maxlook (http://noahdfear.net/downloads/maxlook.exe), saving the file to your Desktop.
Once maxlook.exe has been saved to your Desktop, repeat the steps from my last post:
double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Once in Recovery Console, Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C
batch look.bat
http://noahdfear.net/WTT/lookXP.gif
You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Once back in Normal Mode, go to Start > Run, and copy/paste the following into the Run box then press Enter.
maxlook -sig
Follow the prompts, and post the log produced, C:\looklog.txt
justwayne
2010-05-04, 02:00
Hello, here's the log. It's rather short! I was sort of expecting another long full of complicated codes!!
Run from C:\Documents and Settings\Christian.CATSEYE2\Desktop\maxlook.exe on 03/05/2010 at 19:41:48.89
--------- maxlook unsigned files ---------
c:\windows\maxdriver\cercsr6.sys:
Verified: Unsigned
File date: 4:14 PM 13/12/2004
Publisher: Adaptec, Inc.
Description: DELL CERC SATA1.5/6ch Miniport Driver
Product: Dell RAID Controller
Version: 4.1.0.7405
File version: 4.1.0.7405
c:\windows\maxdriver\omci.sys:
Verified: Unsigned
File date: 8:42 AM 22/08/2001
Publisher: Dell Computer Corporation
Description: OMCI Device Driver
Product: OMCI Driver
Version: 6, 1, 0, 242
File version: 6, 1, 0, 242
--------- system32\drivers unsigned files ---------
c:\windows\system32\drivers\cercsr6.sys:
Verified: Unsigned
File date: 4:14 PM 13/12/2004
Publisher: Adaptec, Inc.
Description: DELL CERC SATA1.5/6ch Miniport Driver
Product: Dell RAID Controller
Version: 4.1.0.7405
File version: 4.1.0.7405
c:\windows\system32\drivers\omci.sys:
Verified: Unsigned
File date: 8:42 AM 22/08/2001
Publisher: Dell Computer Corporation
Description: OMCI Device Driver
Product: OMCI Driver
Version: 6, 1, 0, 242
File version: 6, 1, 0, 242
Looking forward to hearing the next step!
Thanks!
Nice work on getting the Maxlook Log. :D I see no problems in the log. :)
Let's continue.
Step # 1: Download and Run HelpAsst_mebroot_fix by noahdfear.
Please download HelpAsst_mebroot_fix.exe (http://noahdfear.net/downloads/HelpAsst/HelpAsst_mebroot_fix.exe) and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
helpasst -mbrt
Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.
In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.
mbr -f
Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.
helpasst -mbrt
Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.
**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
justwayne
2010-05-04, 20:51
Ok, I will download and run the tool when I get home from work. Out of curiosity, are all thise logs simply used to identify the problem or do they actually fix anything at the same time?
Another quick question: wouldn't it have been simpler to do a Windows Repair or is the problem more complex and that is why we're going through all these steps?
justwayne
2010-05-05, 02:53
Well, Mebroot is still running after...two hours! I hope this is normal. It now tells me "HelpAssistant directory found~attempting to remove" and that it could take a while. Looks like we're on the right track, doesn't it?!!
Well, I hope it doesn't take all night, because if it does, it will be left unsttended!!
justwayne
2010-05-05, 03:42
Ok, it's not too late, so I am posting my log before going to bed!!
C:\Documents and Settings\Christian.CATSEYE2\Desktop\HelpAsst_mebroot_fix.exe
04/05/2010 at 19:05:22.50
HelpAssistant account is Active ~ attempting to de-activate
Account active Yes
Local Group Memberships *Administrators
HelpAssistant successfully set Inactive
~~ Checking for termsrv32.dll ~~
termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll
~~ Checking firewall ports ~~
backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports
HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3389:TCP"=-
"7957:TCP"=-
"7958:TCP"=-
"3071:TCP"=-
"4642:TCP"=-
"2338:TCP"=-
"3176:TCP"=-
"1666:TCP"=-
"1832:TCP"=-
"2898:TCP"=-
"4296:TCP"=-
backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports
HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3389:TCP"=-
"7957:TCP"=-
"7958:TCP"=-
"3071:TCP"=-
"4642:TCP"=-
"2338:TCP"=-
"3176:TCP"=-
"1666:TCP"=-
"1832:TCP"=-
"2898:TCP"=-
"4296:TCP"=-
~~ Checking profile list ~~
HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-57989841-1592454029-725345543-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Status check on 04/05/2010 at 21:32:16.17
Account active Yes
Local Group Memberships *Administrators
~~ Checking mbr ~~
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82B66AE0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x82b66ae0
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x828a18f0
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
~~ Checking for termsrv32.dll ~~
termsrv32.dll present!
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll
~~ Checking profile list ~~
S-1-5-21-57989841-1592454029-725345543-1000
%SystemDrive%\Documents and Settings\HelpAssistant.CATSEYE2
~~ Checking for HelpAssistant directories ~~
HelpAssistant
HelpAssistant.CATSEYE2
~~ Checking firewall ports ~~
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"2898:TCP"=2898:TCP:*:Enabled:Services
"4296:TCP"=4296:TCP:*:Enabled:Services
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"2898:TCP"=2898:TCP:*:Enabled:Services
"4296:TCP"=4296:TCP:*:Enabled:Services
~~ EOF ~~
justwayne
2010-05-05, 04:25
In your instructions, it said "If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer". I should mention here that during the process, all there was in the window were the words "checking MBR". It stayed like that for 10-15 minutes and then I realized that the computer had frozen. So I had to reboot.
I still got the log, but does this mean that the fix didn't work?
Out of curiosity, are all thise logs simply used to identify the problem or do they actually fix anything at the same time?
Some like HaMebCheck and DDS and GMER are used to identify problems and others like ComboFix and HelpAsst_mebroot_fix.exe are fixing things. :)
wouldn't it have been simpler to do a Windows Repair or is the problem more complex and that is why we're going through all these steps?
I don't know if a Windows Repair would fix your problem, a full reformat and reinstall of Windows would. It's taking some time, but I'm sticking with you till we fix your computer. :)
In your instructions, it said "If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer". I should mention here that during the process, all there was in the window were the words "checking MBR". It stayed like that for 10-15 minutes and then I realized that the computer had frozen. So I had to reboot.
I still got the log, but does this mean that the fix didn't work?
Based on the first log, it looks like HelpAsst_mebroot_fix.exe was working, it was fixing what needed to be fixed and deleting what needed to be deleted. On the 2nd log, it looked like it didn't fully complete. Perhaps due to the "Checking MBR" being frozen and your rebooting of the computer.
Go ahead and run HelpAsst_mebroot_fix.exe one more time and let it run to completion. I'll repost the instructions below: :)
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
helpasst -mbrt
Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.
In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.
mbr -f
Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.
helpasst -mbrt
Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.
justwayne
2010-05-05, 12:49
Thanks for sticking with me! I'll try again after work. What should I do if it freezes again?
If it looks like it has frozen, go ahead and leave it alone, it may still be working. If it stays frozen for 5 hours or more, then go ahead and stop it. We'll then work on a different approach regarding HelpAsst_mebroot_fix.exe.
justwayne
2010-05-05, 23:50
Hi, well it worked smoothly, this time. I hope the new log is helpful! Here it is:
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x82d4be00
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x828b38f0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
Use "Recovery Console" command "fixmbr" to clear infection !
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Status check on 05/05/2010 at 17:47:04.23
Account active No
Local Group Memberships
~~ Checking mbr ~~
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
~~ Checking for termsrv32.dll ~~
termsrv32.dll not found
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll
~~ Checking profile list ~~
No HelpAssistant profile in registry
~~ Checking for HelpAssistant directories ~~
HelpAssistant
~~ Checking firewall ports ~~
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
~~ EOF ~~
The new log looks great. :) HelpAsst_mebroot_fix did its job. :bigthumb:
From this point on till the end of the fix, you'll be using your computer as you'll need to go online with it in the upcoming steps.
First, I'd like for you to delete the following folder from your computer, if found:
C:\Documents and Settings\HelpAssistant
Step # 1 Update Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u20 (http://www.java.com/en/download/manual.jsp).
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:
Java(TM) 6 Update 18
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
From your desktop double-click on the download to install the newest version.
Step # 2 Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 24 hours
Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the Internet Explorer section except Cookies
Clean all the entries in the Windows Explorer section
Clean all entries in the System section
Clean all entries in the Advanced section
Clean any others that you choose
In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it
Clean all in the Opera section if you use it
Clean Sun Java in the Internet Section
Clean any others that you choose
Click the Run Cleaner button.
A pop up box will appear advising this process will permanently delete files from your system.
Click OK and it will scan and clean your system.
Click exit when done.
If it asks you to reboot at the end, click NO
Step # 3 Run Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:
Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.
In your next post/reply, I need to see the following:
1. The MalwareBytes' Log
2. A fresh DDS Log
justwayne
2010-05-07, 03:24
Hi,
I got two logs from DDS. One is called "Attach" and it says to zip it and post it "only if requested". Please let me know what you want me to do, but note I don't have Winzip so i would not be able to zip it unless I download it first! I hope that's ok. If you really need it, I could also zip it at work.
Right now, I must say that the computer seems to be running faster. One thing I notice is that it still takes a few seconds too many for the broser to launch and the homepage to open.
I could be wrong, but I suspect that I might have to update certain things, such as Windows update and my antivirus (which should be upgraded anyway - I tried about a month ago when it prompted me to do so and got an error message telling me upgrade had failed). I will not do it until you instruct me to. I must say I'm happy this is working nicely and I find your instruction easy to follow! Than you for that; I know fixing a computer problem can be intimidating and scary!
Here are the 2 logs:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4052
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
06/05/2010 8:48:54 PM
mbam-log-2010-05-06 (20-48-54).txt
Scan type: Quick scan
Objects scanned: 196723
Time elapsed: 16 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
----------------------------------------------------------------------
DDS (Ver_10-03-17.01) - NTFSx86
Run by Christian at 21:02:23.10 on 06/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.229 [GMT -5:00]
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Christian.CATSEYE2\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.ca/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Zinio DLM] c:\program files\zinio\ZinioReader.exe /autostart
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-9 12552]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-20 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-9 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-9 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-9 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-10 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-10 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-8-9 1370488]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1285864]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-8-9 29208]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-27 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-8-9 29208]
=============== Created Last 30 ================
2010-05-06 23:59:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-06 23:59:24 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-05 00:05:24 0 d-----w- C:\HelpAsst_backup
2010-05-04 00:41:40 220024 ----a-w- c:\windows\sigcheck.exe
2010-05-04 00:23:39 12377 ----a-w- c:\windows\look.bat
2010-05-04 00:23:27 0 d-----w- c:\windows\maxdriver
2010-04-29 21:12:01 0 d-sha-r- C:\cmdcons
2010-04-29 21:03:44 77312 ----a-w- c:\windows\MBR.exe
2010-04-29 21:03:44 256512 ----a-w- c:\windows\PEV.exe
2010-04-29 21:03:44 161792 ----a-w- c:\windows\SWREG.exe
2010-04-29 21:03:43 98816 ----a-w- c:\windows\sed.exe
2010-04-24 21:21:19 0 d-----w- c:\docume~1\christ~1.cat\applic~1\Malwarebytes
2010-04-24 21:18:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-24 21:16:49 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-04-24 21:16:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 00:31:54 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-21 00:30:50 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-21 00:24:55 0 dc-h--w- c:\docume~1\alluse~1.win\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-15 22:14:14 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2010-04-10 01:39:18 527 ----a-w- c:\windows\wininit.ini
2010-04-09 17:34:31 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-04-09 17:34:31 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys
==================== Find3M ====================
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 23:22:35 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-04 23:22:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
============= FINISH: 21:03:43.60 ===============
I got two logs from DDS. One is called "Attach" and it says to zip it and post it "only if requested". Please let me know what you want me to do, but note I don't have Winzip so i would not be able to zip it unless I download it first! I hope that's ok. If you really need it, I could also zip it at work.
No need to post the Attach Log. All I needed to see was the main DDS Log which you posted and it looks good. :)
Right now, I must say that the computer seems to be running faster. One thing I notice is that it still takes a few seconds too many for the broser to launch and the homepage to open.
Try the following tips at the website below to see if they help any:
http://www.malwareremoval.com/tutorials/runningslowly.php
I could be wrong, but I suspect that I might have to update certain things, such as Windows update and my antivirus (which should be upgraded anyway - I tried about a month ago when it prompted me to do so and got an error message telling me upgrade had failed). I will not do it until you instruct me to.
Go ahead and update your AntiVirus and run Windows Update as well, if you can.
Your version of MalwareBytes' has an out of date database version (4052). The latest Database version is in the 4070's. Go ahead and update MalwareBytes' (click the Update tab, next click Check for Updates to download any updates, if available.) and do another Quick Scan and post the Log in your next post/reply.
Step # 1: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. MalwareBytes' Log
2. Kaspersky Log
3. How is your computer doing, any problems?
justwayne
2010-05-07, 23:26
hi,
Before i run Kaspersky, I need to know: I have a full (legal and purchased!) version of AVG 9.0. Will this interfere with it? It's asking me to turn it off or something. I'm always a bit nervous when doing something with my antivirus!!
I have updated MalwareBytes ans am posting the new log now. The computer seems to be running fine, but loading the browser is still slow. Even if I was to close it right now and re-open it, it would take a minute to open. Do you think there might be a problem with IE and it needs to be reinstalled? Should I switch to Firefix?
Also, at the beginning o this thread, I mentioned that I suspected I had XP installed twice (by accident!) on my computer. Is there a way to find out? And if it's the case, wouldn't it eat up some of the HD space unnecessarily?
Here's the MalwareBytes log, for now:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4076
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
07/05/2010 5:12:01 PM
mbam-log-2010-05-07 (17-12-01).txt
Scan type: Quick scan
Objects scanned: 202558
Time elapsed: 15 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Looks pretty good, eh? :bigthumb:
Looks pretty good, eh?
A clean MalwareBytes' Log does indded look good. :)
Before i run Kaspersky, I need to know: I have a full (legal and purchased!) version of AVG 9.0. Will this interfere with it? It's asking me to turn it off or something. I'm always a bit nervous when doing something with my antivirus!!
I believe Kaspersky should run ok with AVG enabled. It may take longer time to do a Kaspersky scan with AVG enabled than with it disabled. Kaspersky scans usually take 2-4 hours depending on how much stuff is on the Hard Drive. The more space taken up on the Hard Drive the longer the scan.
The computer seems to be running fine, but loading the browser is still slow. Even if I was to close it right now and re-open it, it would take a minute to open. Do you think there might be a problem with IE and it needs to be reinstalled? Should I switch to Firefix?
You can try uninstalling and reinstalling IE to see if that helps. You can also try another browser: FireFox (www.mozilla.com/firefox/), Opera (www.opera.com/) or Google Chrome (www.google.com/chrome)
Also, at the beginning o this thread, I mentioned that I suspected I had XP installed twice (by accident!) on my computer. Is there a way to find out? And if it's the case, wouldn't it eat up some of the HD space unnecessarily?
When you boot up the computer, does it give you the option to choose between two Window XP's? If it does, then you have two XP installations. If it just shows a selection between the Recovery Console and Windows XP, then you just have one XP installation. :)
justwayne
2010-05-08, 17:31
Hi,
I tried to run Kaspersky, but it froze at 34 minutes - 2% scanned. I even went out for a couple of hours and came back and it was still showing 34 minutes! Nothing of what it scanned was infected. Why are we running this one anyway? Isn't just another anti-virus? Isn't AVG enough?
I haven't done anything with IE yet. I don't know if it needs to be fixed 9somehow) or uninstalled-reinstalled. Or if it's even necessary! Any thoughts?
I tried to run Kaspersky, but it froze at 34 minutes - 2% scanned. I even went out for a couple of hours and came back and it was still showing 34 minutes! Nothing of what it scanned was infected. Why are we running this one anyway? Isn't just another anti-virus? Isn't AVG enough?
Kaspersky is an online scanner, it doesn't remove anything like AVG does. Malware fighters/removal helpers like myself have our users run online scans to see if there is anything left over that we need to get rid of. Online scanners can sometimes show files/folders that an antivirus like AVG can miss. It is usually the last thing/one of the last things we have people do for us. Since Kaspersky froze up on you, I'll have you try another online scanner in this post.
I haven't done anything with IE yet. I don't know if it needs to be fixed 9somehow) or uninstalled-reinstalled. Or if it's even necessary! Any thoughts?
Earlier in this thread (and in your last post), you mention IE being slow/loading up slow? Is it still doing this? If it is you can try uninstalling-reinstalling it to see if it goes back to normal. If IE is back to normal, then no need to do anything to it.
----------
I'd like us to scan your machine with ESET OnlineScan Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan) Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png to download the ESET Smart Installer. Save it to your desktop. Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop. Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button. Accept any security warnings from your browser. Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png Push the Start button. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Make sure that Remove found threats is unchecked
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button. Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
justwayne
2010-05-09, 20:38
Hi,
Here's my ESET scan:
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temporary Internet Files\Content.IE5\0A4ZLG35\data[1].html JS/Exploit.Pdfka.NXM trojan
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temporary Internet Files\Content.IE5\8TX4AQQE\data[1].html JS/Exploit.Pdfka.NXM trojan
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temporary Internet Files\Content.IE5\IH5K32A4\data[1].htm JS/Exploit.Agent.NBC trojan
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temporary Internet Files\Content.IE5\JJZZTKD0\data[1].htm JS/Exploit.Agent.NBC trojan
C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent application
Looks like there are still a few little bugs!
The files in the C:\HelpAsst_backup folder are files that HelpAsst_mebroot_fix.exe removed/quarantined when we ran it. They are harmless where they are. We'll be removing them in an upcoming post. :)
As for the C:\I386\GTDownDE_87.ocx file, that is a false positive related to Dell Support. So nothing to worry about there. :)
We are just about done, how is the computer doing, also how is the other account on the computer doing as well?
justwayne
2010-05-10, 14:22
Hi,
The computer is running much faster! We still have to go through our files and delete stuff we no longer use. Also, I think too many apps load at startup, don't you? Unfortunately, we use most of them regularly.
The other user says that his side is running faster as well. We both use pretty well the same programs. The one thing we both notice is that startup is slow and Windos still takes a while to open but once it is, surfinig is a breeze, compared to a month ago!
I still haven't uninstalled/reinstalled IE8 because I wanted to see what your comments on the ESET log would be.
When we're done, I wouls be grateful if you could give me some advice as to how to avoid this to happen again! :thanks:
Great to hear that the computer is running much faster and that the other account is running faster as well! :bigthumb:
As for the startup programs, since you mentioned using them regularly, disabling them wouldn't be worthwhile since you use them so much that disabling them would be a hassle/waste of time. Overall, it looks like your startup list is ok, but if you want to disable somethings let me know and I'll let you know what you can disable.
Regarding the slow startup, clearing up some HD space will help, also getting more RAM (if your computer has low RAM) will help speed up your computer as well.
If there are no more malware-related problems, then you are good to go. :)
Let's do some cleanup.
You can delete the following off of your computer:
DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
SysProt.zip
SysProt.exe
The SysProt Log
TDSSKiller.exe
The TDSSKiller Log
SystemLook.exe
The SystemLook Log
The HAMeb_check Log
To remove Maxlook, do the following:
Go to Start > Run - type in maxlook -cleanup & click OK
To remove HelpAsst_mebroot_fix (and clear its quarantine), do the following:
Go to Start > Run - type in helpasst -cleanup & click OK
To remove ComboFix, do the following:
Go to Start > Run - type in ComboFix /Uninstall & click OK
Empty your Recycle Bin.
You can reenable Teatimer.
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
This is a good time to clear your existing system restore points and establish a new clean restore point
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..
Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.subratam.org/index.php?showtopic=5931)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Good luck!
Please reply one last time so that I know you have read my post and this thread can be closed.
If you want to work on disabling some programs at startup, let me know and I'll keep the thread open a little while longer.
justwayne
2010-05-10, 21:51
When you say I can reenable Teatimer, is it a recommandation or an option? In your opinion, SHOULD it be reenabled?
I have printed your instructions and will work through them when I get home!
Go ahead and reenable Teatimer as it'll be an extra layer of protection. We disabled it because it would've interfered with our fixes. Now that we're done with that, you can reenable it. :)
justwayne
2010-05-11, 03:02
When you say "remove Maxlook and helpasst...", if I go to start > Run and type the name, I simply get back to the tool to run. It doesn't give me the option of deleting it. It just asks me if I want to run it. Am I missing something? Am I supposed to run it again and it will give me the option of deleting it at some point?
Also, in your post, you mention RAM, which doesn't surprise me! I'm not quite sure how much RAM one should have on a computer. I added some to the last computer I had and it made a difference (at the time, we used to play video games a lot!). Of course, I understand that your focus is on malaware removal, but I have receive such great help from you....forgive me for asking some unrelated questions!
By the way, if I could, I'd buy you dinner! Your taking the time to help people like this proves that there are still decent people in this world! I'll never understand why there are people who actually waste time infecting us with all sorts of crap, when computers are such wonderful tools. I am SO grateful for all your help! Thank you so, so, SOOOOOO much! :thanks:
When you say "remove Maxlook and helpasst...", if I go to start > Run and type the name, I simply get back to the tool to run. It doesn't give me the option of deleting it. It just asks me if I want to run it. Am I missing something? Am I supposed to run it again and it will give me the option of deleting it at some point?
Did you add -cleanup after each program's name (i.e maxlook -cleanup)? If you did and you pressed Enter/Ok, the tool should run (have it run if it asks you to do so) and delete itself.
Also, in your post, you mention RAM, which doesn't surprise me! I'm not quite sure how much RAM one should have on a computer. I added some to the last computer I had and it made a difference (at the time, we used to play video games a lot!). Of course, I understand that your focus is on malaware removal, but I have receive such great help from you....forgive me for asking some unrelated questions!
For a computer running XP, you should have at least 1024MB (1 GB) of RAM. If you can add more RAM than 1GB and your computer can handle it, even better. :)
justwayne
2010-05-14, 16:40
Hello,
The computer is behaving much better. The IE is still sticky, but I will try an uninstall/reinstall in a couple of weeks when I'm back from vacations. As I mentioned, there are two of us using this computer and each have our own "side" (settings, preferences, docs etc). It still take quite a while to switch from one side to the other. I guess this is as good as it gets. This computer is 5-6 yeard old, after all! If there is nothing else you would like me to try or fix, I guess this is my final post.
I want to take this opportunity to thank you once again for all your help! I learned a lot and was able to follow your instruction easily. I must say I'm almost proud of myself!! Thanks! :thanks:
You're welcome. I'm glad I was able to help you out. :)
Good luck and safe surfing!
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
Note: If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.