View Full Version : fraud.windows protection & redirect infection
Kristena
2010-08-26, 19:02
I'm really a novice computer user but I need help with these infections. I have teenagers! and therein lies the problem...Anyway, I've run Spybot and these 2 infections (multiple, really) cannot be removed and seem to redirect google and often freeze the whole computer.
Thank you for your help; I'm off to get a glass of wine!
Here's the DSS I just ran:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Tena at 9:53:10.12 on Thu 08/26/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.191 [GMT -7:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\2Wire Wireless Manager\2Wire.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tena\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2014090
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [2Wire Wireless Manager] "c:\program files\2wire wireless manager\2Wire.exe" -a
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\tena\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\tena\startm~1\programs\startup\imvu.lnk - c:\documents and settings\tena\application data\imvuclient\imvuqualityagent.exe
StartupFolder: c:\documents and settings\tena\start menu\programs\startup\PowerReg Scheduler.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\tena\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185993201343
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185993393984
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {076394AD-7FDD-44EF-A075-32C68DBAB99B} - No File
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 secure-plus-payments.com
Note: multiple HOSTS entries found. Please refer to Attach.txt
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\tena\applic~1\mozilla\firefox\profiles\fdwm9rbr.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\tena\application data\mozilla\firefox\profiles\fdwm9rbr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\tena\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\tena\application data\mozilla\firefox\profiles\fdwm9rbr.default\extensions\{38ab6a6c-cc4c-4f9e-a3dd-3c5681ef18a1}\plugins\npsoe.dll
FF - plugin: c:\documents and settings\tena\application data\mozilla\firefox\profiles\fdwm9rbr.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\tena\application data\mozilla\firefox\profiles\fdwm9rbr.default\extensions\runtime@panda3d.org\platform\winnt_x86-msvc\plugins\nppanda3d.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-8-19 64288]
R0 SBHR;SBHR;c:\windows\system32\drivers\sbhr.sys [2007-11-21 15280]
S2 NAVAPEL;NAVAPEL;\??\c:\program files\symantec_client_security\symantec antivirus\navapel.sys --> c:\program files\symantec_client_security\symantec antivirus\NAVAPEL.SYS [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S3 NAVAP;NAVAP;\??\c:\program files\symantec_client_security\symantec antivirus\navap.sys --> c:\program files\symantec_client_security\symantec antivirus\NAVAP.sys [?]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20020619.005\NAVENG.sys [2005-11-9 65920]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20020619.005\NAVEX15.sys [2005-11-9 586816]
S3 SBAPIFS;SBAPIFS;\??\c:\windows\system32\drivers\sbapifs.sys --> c:\windows\system32\drivers\sbapifs.sys [?]
=============== Created Last 30 ================
2010-08-21 04:48:02 3248 ----a-w- c:\windows\system32\wbem\Outlook_01cb40ec0939622a.mof
2010-08-20 22:36:59 0 d-----w- c:\windows\system32\wbem\Repository
2010-08-20 20:23:34 0 d-----w- c:\program files\common files\PC Tools
2010-08-20 20:23:33 0 d-----w- c:\program files\PC Tools Security
2010-08-19 22:15:36 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-19 20:21:10 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-19 20:20:38 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-19 20:09:28 0 d-----w- c:\program files\SpywareBlaster
2010-08-19 19:40:10 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-19 19:38:01 0 d-----w- c:\program files\Lavasoft
2010-08-06 19:00:51 0 d-----w- c:\windows\system32\NtmsData
2010-08-06 18:10:35 0 d-----w- c:\docume~1\tena\applic~1\My Security Shield
2010-07-28 15:08:17 0 d-----w- c:\program files\iPod
2010-07-28 15:07:51 0 d-----w- c:\program files\iTunes
==================== Find3M ====================
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\win32k.sys
2010-06-18 04:33:49 4096 ----a-w- c:\windows\d3dx.dat
2010-06-17 14:03:00 80384 ------w- c:\windows\system32\iccvid.dll
2010-06-16 21:31:29 59044 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2009-05-27 20:11:26 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052720090528\index.dat
============= FINISH: 9:54:37.71 ===============
Hello & Welcome to Safer-Networking
Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
In the meantime please note the following:
Any recommendations made are for your computer problems only and should NOT be used on any other computer.
Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
If you get stuck or are unsure of something please ask for a further explanation, do not guess.
It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.Please note that the forum is very busy and if I don't hear from you within four days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to backup any personal files and folders before you start.
Thanks
Disable Spybot's TeaTimer 1.5 & 1.6
If you have version 1.5, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol)
Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless
Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy
Click on Mode > Advanced Mode. When it prompts you, click Yes
On the left hand side, click on Tools
Check this box if it is not yet ticked: Resident
You will notice that Resident is now added under Tools. Click on Resident
Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active
Exit Spybot Search & Destroy
Restart your computer for the changes to take effectLeave TeaTimer disabled until we're done here.
DDS
As your log is a couple of days old, please run DDS again & post the contents of both the new DDS & the Attach log.
Gmer
Download GMER Rootkit Scanner from here (http://www.gmer.net/download.php) & save it to your desktop.
Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
http://i28.photobucket.com/albums/c227/tetonbob/gmer_th.gif (http://i28.photobucket.com/albums/c227/tetonbob/gmer_screen2-1.gif)
Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ... IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in reply**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Do not run any programs while Gmer is running.
NOTE: If you cannot run GMER as indicated above, save a scan from the initial startup scan.
Before scanning, make sure all other running programs are closed & no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan
Double click the gmer.exe file
The program will begin to run & perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No
After the "initial scan" is complete, click on the Save button, save the log file to your desktop & post it in your replyTo post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log
Kristena
2010-08-30, 22:30
Thank you! Here are the results of the latest scans.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Tena at 11:30:08.42 on Mon 08/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.64 [GMT -7:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\2Wire Wireless Manager\2Wire.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tena\My Documents\Downloads\dds(2).scr
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2014090
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [2Wire Wireless Manager] "c:\program files\2wire wireless manager\2Wire.exe" -a
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\tena\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\tena\startm~1\programs\startup\imvu.lnk - c:\documents and settings\tena\application data\imvuclient\imvuqualityagent.exe
StartupFolder: c:\documents and settings\tena\start menu\programs\startup\PowerReg Scheduler.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\tena\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185993201343
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185993393984
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {076394AD-7FDD-44EF-A075-32C68DBAB99B} - No File
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 secure-plus-payments.com
Note: multiple HOSTS entries found. Please refer to Attach.txt
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\tena\applic~1\mozilla\firefox\profiles\fdwm9rbr.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\tena\application data\mozilla\firefox\profiles\fdwm9rbr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\tena\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\tena\application data\mozilla\firefox\profiles\fdwm9rbr.default\extensions\{38ab6a6c-cc4c-4f9e-a3dd-3c5681ef18a1}\plugins\npsoe.dll
FF - plugin: c:\documents and settings\tena\application data\mozilla\firefox\profiles\fdwm9rbr.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\tena\application data\mozilla\firefox\profiles\fdwm9rbr.default\extensions\runtime@panda3d.org\platform\winnt_x86-msvc\plugins\nppanda3d.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-8-19 64288]
R0 SBHR;SBHR;c:\windows\system32\drivers\sbhr.sys [2007-11-21 15280]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1355416]
S2 gupdate1ca170d751b90f8;Google Update Service (gupdate1ca170d751b90f8);c:\program files\google\update\GoogleUpdate.exe [2009-8-6 133104]
S2 NAVAPEL;NAVAPEL;\??\c:\program files\symantec_client_security\symantec antivirus\navapel.sys --> c:\program files\symantec_client_security\symantec antivirus\NAVAPEL.SYS [?]
S2 Norton AntiVirus Server;Symantec AntiVirus Client;"c:\program files\symantec_client_security\symantec antivirus\rtvscan.exe" --> c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S3 NAVAP;NAVAP;\??\c:\program files\symantec_client_security\symantec antivirus\navap.sys --> c:\program files\symantec_client_security\symantec antivirus\NAVAP.sys [?]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20020619.005\NAVENG.sys [2005-11-9 65920]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20020619.005\NAVEX15.sys [2005-11-9 586816]
S3 SBAPIFS;SBAPIFS;\??\c:\windows\system32\drivers\sbapifs.sys --> c:\windows\system32\drivers\sbapifs.sys [?]
=============== Created Last 30 ================
2010-08-21 04:48:02 3248 ----a-w- c:\windows\system32\wbem\Outlook_01cb40ec0939622a.mof
2010-08-20 22:36:59 0 d-----w- c:\windows\system32\wbem\Repository
2010-08-20 20:23:34 0 d-----w- c:\program files\common files\PC Tools
2010-08-20 20:23:33 0 d-----w- c:\program files\PC Tools Security
2010-08-19 22:15:36 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-19 20:21:10 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-19 20:20:38 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-19 20:09:28 0 d-----w- c:\program files\SpywareBlaster
2010-08-19 19:40:10 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-19 19:38:01 0 d-----w- c:\program files\Lavasoft
2010-08-06 19:00:51 0 d-----w- c:\windows\system32\NtmsData
2010-08-06 18:10:35 0 d-----w- c:\docume~1\tena\applic~1\My Security Shield
==================== Find3M ====================
2010-08-28 16:11:19 58968 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\win32k.sys
2010-06-18 04:33:49 4096 ----a-w- c:\windows\d3dx.dat
2010-06-17 14:03:00 80384 ------w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2009-05-27 20:11:26 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052720090528\index.dat
============= FINISH: 11:31:30.59 ===============
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-30 13:29:44
Windows 5.1.2600 Service Pack 3
Running: kxp5thrb.exe; Driver: C:\DOCUME~1\Tena\LOCALS~1\Temp\kwdyqpoc.sys
---- System - GMER 1.0.15 ----
SSDT sbhr.sys ZwClose [0xF8B8C514]
SSDT sbhr.sys ZwCreateKey [0xF8B8C552]
SSDT sbhr.sys ZwOpenKey [0xF8B8C4D0]
SSDT sbhr.sys ZwSetValueKey [0xF8B8C5A2]
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[3676] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- EOF - GMER 1.0.15 ----
I don't know how to attach the file here so here's the text:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/9/2005 11:06:09 PM
System Uptime: 8/30/2010 11:24:13 AM (0 hours ago)
Motherboard: Dell Computer Corp. | | 0K0057
Processor: Intel(R) Pentium(R) 4 CPU 2.66GHz | Microprocessor | 2660/533mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 37 GiB total, 4.135 GiB free.
D: is CDROM ()
E: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1002: 7/3/2010 3:06:02 PM - System Checkpoint
RP1003: 7/4/2010 5:00:17 PM - System Checkpoint
RP1004: 7/5/2010 5:04:49 PM - System Checkpoint
RP1005: 7/6/2010 5:06:04 PM - System Checkpoint
RP1006: 7/7/2010 6:06:05 PM - System Checkpoint
RP1007: 7/8/2010 6:46:29 PM - System Checkpoint
RP1008: 7/11/2010 3:55:01 PM - System Checkpoint
RP1009: 7/12/2010 5:49:27 PM - System Checkpoint
RP1010: 7/14/2010 10:56:05 PM - System Checkpoint
RP1011: 7/15/2010 3:00:35 AM - Software Distribution Service 3.0
RP1012: 7/16/2010 3:39:47 AM - System Checkpoint
RP1013: 7/17/2010 4:39:47 AM - System Checkpoint
RP1014: 7/18/2010 5:39:49 AM - System Checkpoint
RP1015: 7/19/2010 6:39:47 AM - System Checkpoint
RP1016: 7/20/2010 7:39:47 AM - System Checkpoint
RP1017: 7/21/2010 7:54:56 AM - System Checkpoint
RP1018: 7/22/2010 8:55:40 AM - System Checkpoint
RP1019: 7/23/2010 12:37:46 PM - System Checkpoint
RP1020: 7/24/2010 12:47:23 PM - System Checkpoint
RP1021: 7/25/2010 3:34:17 PM - System Checkpoint
RP1022: 7/26/2010 3:56:59 PM - System Checkpoint
RP1023: 7/27/2010 4:16:58 PM - System Checkpoint
RP1024: 7/28/2010 4:52:11 PM - System Checkpoint
RP1025: 7/29/2010 5:49:19 PM - System Checkpoint
RP1026: 7/30/2010 6:53:41 PM - System Checkpoint
RP1027: 7/31/2010 7:24:14 PM - System Checkpoint
RP1028: 8/1/2010 9:15:15 PM - System Checkpoint
RP1029: 8/2/2010 9:16:45 PM - System Checkpoint
RP1030: 8/3/2010 3:00:18 AM - Software Distribution Service 3.0
RP1031: 8/4/2010 3:21:34 AM - System Checkpoint
RP1032: 8/5/2010 4:21:34 AM - System Checkpoint
RP1033: 8/6/2010 5:21:52 AM - System Checkpoint
RP1034: 8/6/2010 12:03:03 PM - Restore Operation
RP1035: 8/7/2010 12:42:35 PM - System Checkpoint
RP1036: 8/8/2010 12:43:31 PM - System Checkpoint
RP1037: 8/14/2010 7:03:55 PM - System Checkpoint
RP1038: 8/15/2010 3:00:46 AM - Software Distribution Service 3.0
RP1039: 8/16/2010 3:42:18 AM - System Checkpoint
RP1040: 8/17/2010 4:42:18 AM - System Checkpoint
RP1041: 8/18/2010 5:42:21 AM - System Checkpoint
RP1042: 8/18/2010 8:59:59 PM - Removed Blue's Room
RP1043: 8/18/2010 9:00:27 PM - Removed Clifford Musical Memory Games
RP1044: 8/19/2010 9:18:26 PM - System Checkpoint
RP1045: 8/20/2010 1:48:53 PM - PC Tools AntiVirus Free: Cleaning Threats
RP1046: 8/20/2010 3:34:46 PM - Restore Operation
RP1047: 8/21/2010 5:27:58 PM - System Checkpoint
RP1048: 8/23/2010 7:46:51 AM - System Checkpoint
RP1049: 8/24/2010 7:48:04 AM - System Checkpoint
RP1050: 8/25/2010 8:12:56 AM - System Checkpoint
RP1051: 8/26/2010 12:39:45 PM - System Checkpoint
RP1052: 8/27/2010 2:20:01 PM - System Checkpoint
RP1053: 8/28/2010 2:30:45 PM - System Checkpoint
RP1054: 8/29/2010 3:00:03 PM - System Checkpoint
==== Hosts File Hijack ======================
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 secure-plus-payments.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 www.securesoftwarebill.com
Hosts: 74.125.45.100 secure.paysecuresystem.com
Hosts: 74.125.45.100 paysoftbillsolution.com
Hosts: 74.125.45.100 protected.maxisoftwaremart.com
Hosts: 94.228.209.243 www.google.com
Hosts: 94.228.209.243 google.com
Hosts: 94.228.209.243 google.com.au
Hosts: 94.228.209.243 www.google.com.au
Hosts: 94.228.209.243 google.be
Hosts: 94.228.209.243 www.google.be
Hosts: 94.228.209.243 google.com.br
Hosts: 94.228.209.243 www.google.com.br
Hosts: 94.228.209.243 google.ca
Hosts: 94.228.209.243 www.google.ca
Hosts: 94.228.209.243 google.ch
Hosts: 94.228.209.243 www.google.ch
Hosts: 94.228.209.243 google.de
Hosts: 94.228.209.243 www.google.de
Hosts: 94.228.209.243 google.dk
Hosts: 94.228.209.243 www.google.dk
Hosts: 94.228.209.243 google.fr
Hosts: 94.228.209.243 www.google.fr
Hosts: 94.228.209.243 google.ie
Hosts: 94.228.209.243 www.google.ie
Hosts: 94.228.209.243 google.it
Hosts: 94.228.209.243 www.google.it
Hosts: 94.228.209.243 google.co.jp
Hosts: 94.228.209.243 www.google.co.jp
Hosts: 94.228.209.243 google.nl
Hosts: 94.228.209.243 www.google.nl
Hosts: 94.228.209.243 google.no
Hosts: 94.228.209.243 www.google.no
Hosts: 94.228.209.243 google.co.nz
Hosts: 94.228.209.243 www.google.co.nz
Hosts: 94.228.209.243 google.pl
Hosts: 94.228.209.243 www.google.pl
Hosts: 94.228.209.243 google.se
Hosts: 94.228.209.243 www.google.se
Hosts: 94.228.209.243 google.co.uk
Hosts: 94.228.209.243 www.google.co.uk
Hosts: 94.228.209.243 google.co.za
Hosts: 94.228.209.243 www.google.co.za
Hosts: 94.228.209.243 www.google-analytics.com
Hosts: 94.228.209.243 www.bing.com
Hosts: 94.228.209.243 search.yahoo.com
Hosts: 94.228.209.243 www.search.yahoo.com
Hosts: 94.228.209.243 uk.search.yahoo.com
Hosts: 94.228.209.243 ca.search.yahoo.com
Hosts: 94.228.209.243 de.search.yahoo.com
Hosts: 94.228.209.243 fr.search.yahoo.com
Hosts: 94.228.209.243 au.search.yahoo.com
Hosts: 94.228.209.243 www.youtube.com
==== Installed Programs ======================
1 Penguin 100 Cases
2WIRE Wireless LAN - USB Driver
2Wire Wireless Manager
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Download Manager
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 9.3.3
Adobe Shockwave Player 11.5
AiO_Scan
Amazon Kindle For PC v1.1
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Barbie(R) Pet Rescue
Big Fish Games: Game Manager
Bonjour
Compatibility Pack for the 2007 Office system
Dark Parables: Curse of Briar Rose
Dark Tales:™ Edgar Allan Poe`s Murders in the Rue Morgue Collector`s Edition
Dell Driver Download Manager
Dell ResourceCD
Dream Chronicles
ERUNT 1.1j
Free Realms
Google Chrome
Google Earth
Google Update Helper
Google Updater
Harry Potter
Harry Potter II
Haunted Manor: Lord of Mirrors
Hidden Expedition ® - Devil's Triangle
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
Intel(R) Extreme Graphics Driver
iTunes
LiveUpdate 1.7 (Symantec Corporation)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Midnight Mysteries: Salem Witch Trials
Mind Power(TM) Math - Pre Algebra
Miss Spider
Mobipocket Creator 4.2
Move Media Player
Mozilla Firefox (3.6.8)
Mystery Case Files®: Dire Grove™ Collector's Edition
OGA Notifier 2.0.0048.0
OverDrive Media Console
Picasa 3
PuppetShow: Souls of the Innocent
Puzzlemania - Desert
Puzzlemania - Jungle
Puzzlemania - Space
QFolder
QuickTime
Scan
Scholastic's I SPY Fun House
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SoundMAX
Spybot - Search & Destroy
SpywareBlaster 4.3
Symantec AntiVirus Client
The Crop Circles Mystery
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax 2009
TurboTax 2009 wcaiper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
Unsolved Mystery Club™: Amelia Earhart™
Unwell Mel ™
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Zylom Games Player Plugin
==== Event Viewer Messages From Past Week ========
8/30/2010 11:20:51 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
8/24/2010 2:04:32 PM, error: Service Control Manager [7000] - The NAVAPEL service failed to start due to the following error: The system cannot find the path specified.
==== End Of File ===========================
Hi
I don't see any clear signs of an Anti-virus program - other than this:
Symantec AntiVirus Client - Is that up to date?
TFC (Temp File Cleaner)
Download TFC (Temp File Cleaner) by Old Timer Here (http://oldtimer.geekstogo.com/TFC.exe) & save it to your desktop.
Save any unsaved work. TFC Cleaner will close all open application windows
Double-click TFC.exe to run the program, your desktop will temporarily disappear
If prompted, click Yes to rebootNote: Save your work.. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take any longer than a couple of minutes & may only take a few seconds. Only if needed will you be prompted to reboot.
ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**IMPORTANT !!! Save ComboFix.exe to your Desktop**
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
Double click on ComboFix.exe & follow the prompts
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Consolehttp://img.photobucket.com/albums/v666/sUBs/Query_RC.gif
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next replyA word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Download Security Check by screen317 from one of the following links & save it to your desktop:
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe) Double click SecurityCheck.exe to run it then press any key at the prompt to continue
Once the tool has finished a Notepad document should open named checkup.txt
Copy/paste the contents of checkup.txt & post in your next replyTo post in next reply:
ComboFix log
SecurityCheck log
Update on how the computer is running
Kristena
2010-08-31, 06:47
Here's the ComboFix report:
ComboFix 10-08-30.02 - Tena 08/30/2010 21:33:06.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.328 [GMT -7:00]
Running from: c:\documents and settings\Tena\My Documents\Downloads\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Tena\Application Data\My Security Shield
c:\documents and settings\Tena\Application Data\My Security Shield\cookies.sqlite
c:\documents and settings\Tena\Recent\tjd.tmp
.
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-31 )))))))))))))))))))))))))))))))
.
2010-08-26 16:47 . 2010-08-26 16:48 -------- d-----w- c:\program files\ERUNT
2010-08-21 06:02 . 2010-07-24 00:22 1496064 ----a-w- c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-08-21 06:02 . 2010-07-24 00:22 43008 ----a-w- c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-08-21 06:02 . 2010-07-24 00:22 338944 ----a-w- c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-08-21 06:02 . 2010-07-24 00:22 346112 ----a-w- c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-08-20 22:36 . 2010-08-20 22:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-20 20:23 . 2010-08-20 22:36 -------- d-----w- c:\program files\Common Files\PC Tools
2010-08-20 20:23 . 2010-08-20 22:36 -------- d-----w- c:\program files\PC Tools Security
2010-08-19 22:15 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-19 20:30 . 2010-08-19 20:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-08-19 20:21 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-19 20:20 . 2010-08-19 20:20 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-19 20:09 . 2010-08-19 22:19 -------- d-----w- c:\program files\SpywareBlaster
2010-08-19 20:01 . 2010-08-19 20:01 -------- d-----w- c:\documents and settings\Tena\Local Settings\Application Data\Sunbelt Software
2010-08-19 19:40 . 2010-08-19 19:40 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-19 19:40 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-19 19:38 . 2010-08-19 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-19 19:38 . 2010-08-19 19:38 -------- d-----w- c:\program files\Lavasoft
2010-08-06 19:00 . 2010-08-06 19:02 -------- d-----w- c:\windows\system32\NtmsData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-28 16:11 . 2009-11-26 18:15 58968 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-28 15:33 . 2009-08-05 17:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-26 23:20 . 2010-02-27 15:14 11736408 ----a-w- c:\documents and settings\Tena\Application Data\Sony Online Entertainment\Installed Games\Free Realms\FreeRealms.exe
2010-08-26 22:17 . 2010-02-27 15:13 94208 ----a-w- c:\documents and settings\Tena\Application Data\Sony Online Entertainment\Installed Games\Free Realms\GraphicsDriver.dll
2010-08-26 22:16 . 2010-02-27 15:14 2854912 ----a-w- c:\documents and settings\Tena\Application Data\Sony Online Entertainment\Installed Games\Free Realms\GFxWrap.dll
2010-08-21 00:27 . 2010-02-27 15:11 251705 ----a-w- c:\documents and settings\Tena\Application Data\Sony Online Entertainment\npsoeact.dll
2010-08-21 00:27 . 2010-02-27 15:11 -------- d-----w- c:\documents and settings\Tena\Application Data\Sony Online Entertainment
2010-08-19 22:34 . 2009-05-27 21:13 73016 ----a-w- c:\documents and settings\Tena\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-19 04:03 . 2010-07-01 04:43 -------- d-----w- c:\program files\Legacy Interactive
2010-08-19 04:03 . 2005-08-10 06:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-19 04:02 . 2009-07-12 19:29 -------- d-----w- c:\program files\Hasbro Interactive
2010-08-19 04:01 . 2009-12-19 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-08-03 15:45 . 2009-09-05 17:38 -------- d-----w- c:\documents and settings\Tena\Application Data\Big Fish Games
2010-07-28 15:09 . 2010-07-28 15:07 -------- d-----w- c:\program files\iTunes
2010-07-28 15:08 . 2010-07-28 15:08 -------- d-----w- c:\program files\iPod
2010-07-28 15:08 . 2009-07-01 23:30 -------- d-----w- c:\program files\Common Files\Apple
2010-07-28 14:57 . 2010-07-28 14:57 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-26 04:04 . 2010-07-26 03:58 -------- d-----w- c:\program files\The Crop Circles Mystery
2010-07-26 03:57 . 2010-07-26 03:44 140976928 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\GameManager\GameDB\F5815T1L1\setup_gF5815T1L1_d972646745_l1_s1.exe
2010-06-30 12:31 . 2003-07-16 16:37 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2003-07-16 16:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2003-07-16 16:45 1851904 ------w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2003-07-16 16:40 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 04:33 . 2010-06-18 04:33 4096 ----a-w- c:\windows\d3dx.dat
2010-06-17 14:03 . 2003-07-16 16:24 80384 ------w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2005-08-10 05:58 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-14 07:41 . 2003-07-16 16:31 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-10 22:00 . 2010-06-10 22:00 143360 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\the-crop-circles-mystery_s1_l1_gF5815T1L1_d972646745.exe
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-07 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"2Wire Wireless Manager"="c:\program files\2Wire Wireless Manager\2Wire.exe" [2007-10-01 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
c:\documents and settings\Tena\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/19/2010 1:21 PM 64288]
R0 SBHR;SBHR;c:\windows\system32\drivers\sbhr.sys [11/21/2007 2:05 PM 15280]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 5:15 AM 1355416]
S2 gupdate1ca170d751b90f8;Google Update Service (gupdate1ca170d751b90f8);c:\program files\Google\Update\GoogleUpdate.exe [8/6/2009 8:16 PM 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 5:15 AM 15008]
S3 SBAPIFS;SBAPIFS;\??\c:\windows\system32\drivers\sbapifs.sys --> c:\windows\system32\drivers\sbapifs.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 12:15]
2010-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2010-08-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-07 03:13]
2010-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-07 03:16]
2010-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-07 03:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2014090
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Tena\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: intuit.com\ttlc
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
FF - ProfilePath - c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\Tena\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll
FF - plugin: c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\extensions\runtime@panda3d.org\platform\WINNT_x86-msvc\plugins\nppanda3d.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{076394AD-7FDD-44EF-A075-32C68DBAB99B} - (no file)
AddRemove-LiveUpdate1.7 - c:\program files\\Symantec\LiveUpdate\LSETUP.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-30 21:38
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\prefs.js.BAK 55044 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-08-30 21:45:23
ComboFix-quarantined-files.txt 2010-08-31 04:45
Pre-Run: 6,311,325,696 bytes free
Post-Run: 6,541,320,192 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 993C13653AB63AF2C0B34E3210272727
Kristena
2010-08-31, 06:50
And here's the Security Check log:
Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Symantec AntiVirus Client
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Scholastic's I SPY Fun House
SpywareBlaster 4.3
Spybot - Search & Destroy
SpywareBlaster 4.3
Adobe Flash Player 10.1.82.76
Adobe Reader 9.3.3
Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
Hi
Please move ComboFix from your Downloads folders & place it directly onto your desktop.
CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:
Driver::
SBAPIFS
DDS::
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2014090
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
StartupFolder: c:\docume~1\tena\startm~1\programs\startup\imvu.lnk - c:\documents and settings\tena\application data\imvuclient\imvuqualityagent.exe
StartupFolder: c:\documents and settings\tena\start menu\programs\startup\PowerReg Scheduler.exe
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Tena\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: intuit.com\ttlc
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
Save this as CFScript.txt, in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe
If prompted by ComboFix to update, please do so
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Kaspersky Online Scan
Please make sure that all programs are closed when installing Java.
Click here (http://java.sun.com/javase/downloads/index.jsp) to visit Java's website
Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)"
Click the orange Download JRE button to the right
Select Windows from the drop-down list for Platform
Select Multi-language from the drop-down list for Language
Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue
Click on jre-6u21-windows-i586.exe link to download it and save this to a convenient location
Double click on jre-6u21-windows-i586.exe to install Java
After the Java installation has finished, go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan
Read through the requirements and privacy statement and click on Accept button
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
When the downloads have finished, click on Settings
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan
Once the scan is complete, it will display the results. Click on View Scan Report
You will see a list of infected items there. Click on Save Report As...
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
Please post this log in your next replyPictured tutorial if required (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
This scan will take quite some time to update & scan, so be patient with it.
To post in next reply:
ComboFix log
Kaspersky Online Scan log
Kristena
2010-08-31, 17:50
First off, thank you so much for your help! The puter is running really well and my google search is no longer in Dutch.
I've followed the instructions and can get as far as this:
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
If prompted by ComboFix to update, please do so
When finished, it shall produce a log for you at "C:\ComboFix.txt"
and I get an error message that the CSFscript must be spelled wrong and it won't run.
Any ideas?
Kristena
2010-08-31, 18:40
I did get the combofix to run and get a report. Unfortunately, now my internet pages are taking 60+ seconds to load. Here's the combofix report and I'm off to do the Kapersky.
ComboFix 10-08-30.02 - Tena 08/31/2010 8:59.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.328 [GMT -7:00]
Running from: c:\documents and settings\Tena\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tena\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\tena\startm~1\programs\startup\imvu.lnk
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SBAPIFS
-------\Service_SBAPIFS
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-31 )))))))))))))))))))))))))))))))
.
2010-08-26 16:47 . 2010-08-26 16:48 -------- d-----w- c:\program files\ERUNT
2010-08-21 06:02 . 2010-07-24 00:22 1496064 ----a-w- c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-08-21 06:02 . 2010-07-24 00:22 43008 ----a-w- c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-08-21 06:02 . 2010-07-24 00:22 338944 ----a-w- c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-08-21 06:02 . 2010-07-24 00:22 346112 ----a-w- c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-08-20 22:36 . 2010-08-20 22:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-20 20:23 . 2010-08-20 22:36 -------- d-----w- c:\program files\Common Files\PC Tools
2010-08-20 20:23 . 2010-08-20 22:36 -------- d-----w- c:\program files\PC Tools Security
2010-08-19 22:15 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-19 20:30 . 2010-08-19 20:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-08-19 20:21 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-19 20:20 . 2010-08-19 20:20 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-19 20:09 . 2010-08-19 22:19 -------- d-----w- c:\program files\SpywareBlaster
2010-08-19 20:01 . 2010-08-19 20:01 -------- d-----w- c:\documents and settings\Tena\Local Settings\Application Data\Sunbelt Software
2010-08-19 19:40 . 2010-08-19 19:40 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-19 19:40 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-19 19:38 . 2010-08-19 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-19 19:38 . 2010-08-19 19:38 -------- d-----w- c:\program files\Lavasoft
2010-08-06 19:00 . 2010-08-06 19:02 -------- d-----w- c:\windows\system32\NtmsData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-28 16:11 . 2009-11-26 18:15 58968 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-28 15:33 . 2009-08-05 17:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-26 23:20 . 2010-02-27 15:14 11736408 ----a-w- c:\documents and settings\Tena\Application Data\Sony Online Entertainment\Installed Games\Free Realms\FreeRealms.exe
2010-08-26 22:17 . 2010-02-27 15:13 94208 ----a-w- c:\documents and settings\Tena\Application Data\Sony Online Entertainment\Installed Games\Free Realms\GraphicsDriver.dll
2010-08-26 22:16 . 2010-02-27 15:14 2854912 ----a-w- c:\documents and settings\Tena\Application Data\Sony Online Entertainment\Installed Games\Free Realms\GFxWrap.dll
2010-08-21 00:27 . 2010-02-27 15:11 251705 ----a-w- c:\documents and settings\Tena\Application Data\Sony Online Entertainment\npsoeact.dll
2010-08-21 00:27 . 2010-02-27 15:11 -------- d-----w- c:\documents and settings\Tena\Application Data\Sony Online Entertainment
2010-08-19 22:34 . 2009-05-27 21:13 73016 ----a-w- c:\documents and settings\Tena\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-19 04:03 . 2010-07-01 04:43 -------- d-----w- c:\program files\Legacy Interactive
2010-08-19 04:03 . 2005-08-10 06:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-19 04:02 . 2009-07-12 19:29 -------- d-----w- c:\program files\Hasbro Interactive
2010-08-19 04:01 . 2009-12-19 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-08-03 15:45 . 2009-09-05 17:38 -------- d-----w- c:\documents and settings\Tena\Application Data\Big Fish Games
2010-07-28 15:09 . 2010-07-28 15:07 -------- d-----w- c:\program files\iTunes
2010-07-28 15:08 . 2010-07-28 15:08 -------- d-----w- c:\program files\iPod
2010-07-28 15:08 . 2009-07-01 23:30 -------- d-----w- c:\program files\Common Files\Apple
2010-07-28 14:57 . 2010-07-28 14:57 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-26 04:04 . 2010-07-26 03:58 -------- d-----w- c:\program files\The Crop Circles Mystery
2010-07-26 03:57 . 2010-07-26 03:44 140976928 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\GameManager\GameDB\F5815T1L1\setup_gF5815T1L1_d972646745_l1_s1.exe
2010-06-30 12:31 . 2003-07-16 16:37 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2003-07-16 16:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2003-07-16 16:45 1851904 ------w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2003-07-16 16:40 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 04:33 . 2010-06-18 04:33 4096 ----a-w- c:\windows\d3dx.dat
2010-06-17 14:03 . 2003-07-16 16:24 80384 ------w- c:\windows\system32\iccvid.dll
2010-06-14 07:41 . 2003-07-16 16:31 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-10 22:00 . 2010-06-10 22:00 143360 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\the-crop-circles-mystery_s1_l1_gF5815T1L1_d972646745.exe
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-07 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"2Wire Wireless Manager"="c:\program files\2Wire Wireless Manager\2Wire.exe" [2007-10-01 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
c:\documents and settings\Tena\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
PowerReg Scheduler.exe [2010-1-29 256000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/19/2010 1:21 PM 64288]
R0 SBHR;SBHR;c:\windows\system32\drivers\sbhr.sys [11/21/2007 2:05 PM 15280]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 5:15 AM 1355416]
S2 gupdate1ca170d751b90f8;Google Update Service (gupdate1ca170d751b90f8);c:\program files\Google\Update\GoogleUpdate.exe [8/6/2009 8:16 PM 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 5:15 AM 15008]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 12:15]
2010-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2010-08-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-07 03:13]
2010-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-07 03:16]
2010-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-07 03:16]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Tena\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
FF - ProfilePath - c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\Tena\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll
FF - plugin: c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Tena\Application Data\Mozilla\Firefox\Profiles\fdwm9rbr.default\extensions\runtime@panda3d.org\platform\WINNT_x86-msvc\plugins\nppanda3d.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-31 09:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(956)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-08-31 09:25:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-31 16:24
ComboFix2.txt 2010-08-31 04:45
Pre-Run: 6,444,101,632 bytes free
Post-Run: 6,269,317,120 bytes free
- - End Of File - - E22BC97EDC5F116AD319BD1C82AC1D47
Hi
Unfortunately, now my internet pages are taking 60+ seconds to load.We'll have a look at that shortly.
How are you going with the Kaspersky Online Scan?
Kristena
2010-09-01, 02:18
I'm still working on the Kaspersky. I loaded it and it has frozen 6 times requiring a re-boot. I then got it to work but left the house and my teen deleted it. So I will run it again.
OK, no worries
It does take quite a while to scan, but if you continue to have problems with it, try this one instead:
ESET Online Scanner
Go here (http://www.eset.com/onlinescan/) to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic
Kristena
2010-09-01, 20:54
Ok, I tried to run the Kaspersky last night but it quit again at about 13% but I was successful with the ESET.
Here's the report:
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi(2).exe a variant of Win32/Adware.Gamevance.AK application
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi(3).exe a variant of Win32/Adware.Gamevance.AK application
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi(4).exe a variant of Win32/Adware.Gamevance.AK application
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi(5).exe a variant of Win32/Adware.Gamevance.AK application
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi(6).exe a variant of Win32/Adware.Gamevance.AK application
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi.exe a variant of Win32/Adware.Gamevance.AK application
C:\Documents and Settings\Tena\Start Menu\Programs\Startup\PowerReg Scheduler.exe Win32/PowerReg application
C:\System Volume Information\_restore{9F9660BC-81CA-4C7E-88E6-FA74CF852C3F}\RP1034\A0096887.mof Win32/RogueAV.A trojan
C:\System Volume Information\_restore{9F9660BC-81CA-4C7E-88E6-FA74CF852C3F}\RP1034\A0096888.exe Win32/PowerReg application
OTM
Download OTM by OldTimer Here (http://oldtimer.geekstogo.com/OTM.exe) & save it to your desktop.
Double click on OTM.exe to run it
Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error
:Files
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi(2).exe
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi(3).exe
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi(4).exe
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi(5).exe
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi(6).exe
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi.exe
C:\Documents and Settings\Tena\Start Menu\Programs\Startup\PowerReg Scheduler.exe
:Commands
[RESETHOSTS]
[Purity]
[EmptyTemp]
[Reboot]
Click on MoveIt!
When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.
And one final check:
Random's System Information Tool (RSIT)
Download Random's System Information Tool (RSIT) by random/random from Here (http://images.malwareremoval.com/random/RSIT.exe) & save it to your desktop. Double click on RSIT.exe to run the tool
Click Continue at the disclaimer screen
Once it has finished, two logs will open, log.txt (<<will be maximized) and info.txt (<<will be minimized)
Copy & paste the contents of both logs in your next replyIf info.txt does not minimise to the Task Bar, you will find it in C:\rsit
To post in next reply:
OTM log
RSIT log
Info Log
Update on how the computer is running
Kristena
2010-09-02, 07:25
OK, I've got some reports for you. I think this is the world's longest post.
OTM
All processes killed
========== FILES ==========
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi(2).exe moved successfully.
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi(3).exe moved successfully.
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi(4).exe moved successfully.
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi(5).exe moved successfully.
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi(6).exe moved successfully.
C:\Documents and Settings\Tena\My Documents\Downloads\SetupPlaySushi.exe moved successfully.
C:\Documents and Settings\Tena\Start Menu\Programs\Startup\PowerReg Scheduler.exe moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 551681 bytes
User: Tena
->Temp folder emptied: 123190129 bytes
->Temporary Internet Files folder emptied: 14548766 bytes
->Java cache emptied: 128094 bytes
->FireFox cache emptied: 100515559 bytes
->Google Chrome cache emptied: 209152352 bytes
->Flash cache emptied: 18249 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 427.00 mb
OTM by OldTimer - Version 3.1.15.0 log created on 09012010_220757
Files moved on Reboot...
Registry entries deleted on Reboot...
random/random
info.txt logfile of random's system information tool 1.08 2010-09-01 22:20:25
======Uninstall list======
-->C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
-->C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7C06F60-C1A0-4D8C-85BA-15A18B93AA13}\setup.exe" -l0x9 -uninst -f"C:\Program Files\Scholastic's Clifford\Clifford Musical Memory Games\Uninst.isu" -c"C:\Program Files\Scholastic's Clifford\Clifford Musical Memory Games\_UnInstall.dll"
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
1 Penguin 100 Cases-->"C:\Program Files\1 Penguin 100 Cases\Uninstall.exe"
2WIRE Wireless LAN - USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{581CE7EA-A30D-0000-1211-088635773309}\Setup.exe" -l0x9
2Wire Wireless Manager-->MsiExec.exe /X{3CE11B98-C61C-4692-9E0E-59934761C3BE}
Acrobat.com-->msiexec /qb /x {C735206E-A8D7-2DC8-EADF-744C18174654}
Acrobat.com-->MsiExec.exe /I{C735206E-A8D7-2DC8-EADF-744C18174654}
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Download Manager 2.0 (Remove Only)-->"C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Download Manager-->"C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe -maintain activex
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10i_Plugin.exe -maintain plugin
Adobe Photoshop Album 2.0 Starter Edition-->MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Reader 9.3.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
Amazon Kindle For PC v1.1-->C:\Program Files\Amazon\Kindle For PC\uninstall.exe
AnswerWorks 5.0 English Runtime-->MsiExec.exe /I{9E5A03E3-6246-4920-9630-0527D5DA9B07}
Apple Application Support-->MsiExec.exe /I{B2D328BE-45AD-4D92-96F9-2151490A203E}
Apple Mobile Device Support-->MsiExec.exe /I{85991ED2-010C-4930-96FA-52F43C2CE98A}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Barbie(R) Pet Rescue-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Mattel Interactive\Barbie(R)\Barbie(R) Pet Rescue\Uninst.isu"
Big Fish Games: Game Manager-->C:\Program Files\bfgclient\Uninstall.exe
Bonjour-->MsiExec.exe /X{0CB9668D-F979-4F31-B8B8-67FE90F929F8}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Dark Parables: Curse of Briar Rose-->"C:\Program Files\Dark Parables - Curse of Briar Rose\Uninstall.exe"
Dark Tales:™ Edgar Allan Poe`s Murders in the Rue Morgue Collector`s Edition-->"C:\Program Files\Dark Tales - Edgar Allan Poes Murders in the Rue Morgue Collectors Edition\Uninstall.exe"
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dream Chronicles-->"C:\Program Files\Dream Chronicles\Uninstall.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
ESET Online Scanner v3-->C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
Google Chrome-->"C:\Program Files\Google\Chrome\Application\5.0.375.127\Installer\setup.exe" --uninstall --system-level
Google Earth-->MsiExec.exe /X{F7B0939E-58DF-11DF-B3A6-005056806466}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Harry Potter II-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7BF68B83-5057-4D4B-0093-28285EEB9EE3}\setup.exe" -l0x9 Uninstall
Harry Potter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F50AF3B-8997-4916-0095-99D63DDB785A}\setup.exe" -l0x9 Uninstall
Haunted Manor: Lord of Mirrors-->"C:\Program Files\Haunted Manor - Lord of Mirrors\Uninstall.exe"
Hidden Expedition ® - Devil's Triangle-->"C:\Program Files\Hidden Expedition_DevilsTriangle\Uninstall.exe"
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB981793)-->"C:\WINDOWS\$NtUninstallKB981793$\spuninst\spuninst.exe"
HP Image Zone 4.2-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.2-->"C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
Intel(R) Extreme Graphics Driver-->RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
iTunes-->MsiExec.exe /I{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}
Java(TM) 6 Update 20-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216020F0}
Java(TM) 6 Update 21-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216021FF}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Small Business Edition 2003-->MsiExec.exe /I{91CA0409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Midnight Mysteries: Salem Witch Trials-->"C:\Program Files\Midnight Mysteries - Salem Witch Trials\Uninstall.exe"
Mind Power(TM) Math - Pre Algebra-->C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\Mind Power(TM) Math - Pre Algebra\Uninstall.xml"
Miss Spider-->C:\MISSSP~1\UNINST~1.EXE C:\MISSSP~1\INSTALL.LOG
Mobipocket Creator 4.2-->MsiExec.exe /I{AFE499B5-FCC4-45E6-A1A5-3C51AE0E539B}
Mozilla Firefox (3.6.8)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mystery Case Files®: Dire Grove™ Collector's Edition-->"C:\Program Files\Mystery Case Files - Dire Grove Collector's Edition\Uninstall.exe"
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
OverDrive Media Console-->MsiExec.exe /I{8ED929E5-37D5-4E01-8052-4FF5E67F403D}
Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
PuppetShow: Souls of the Innocent-->"C:\Program Files\PuppetShow - Souls of the Innocent\Uninstall.exe"
Puzzlemania - Desert-->C:\WINDOWS\IsUninst.exe -fC:\Highlights\Puzzlemania\Desert\Uninst.isu
Puzzlemania - Jungle-->C:\WINDOWS\IsUninst.exe -fC:\Highlights\Puzzlemania\Jungle\Uninst.isu
Puzzlemania - Space-->C:\WINDOWS\IsUninst.exe -fC:\Highlights\Puzzlemania\Space\Uninst.isu
QuickTime-->MsiExec.exe /I{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}
Scholastic's I SPY Fun House-->C:\PROGRA~1\SCHOLA~1\ISPYFU~1\UNWISE.EXE C:\PROGRA~1\SCHOLA~1\ISPYFU~1\INSTALL.LOG
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2183461)-->"C:\WINDOWS\ie8updates\KB2183461-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB981332)-->"C:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB982381)-->"C:\WINDOWS\ie8updates\KB982381-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB978695)-->"C:\WINDOWS\$NtUninstallKB978695_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2079403)-->"C:\WINDOWS\$NtUninstallKB2079403$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2115168)-->"C:\WINDOWS\$NtUninstallKB2115168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2160329)-->"C:\WINDOWS\$NtUninstallKB2160329$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2229593)-->"C:\WINDOWS\$NtUninstallKB2229593$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2286198)-->"C:\WINDOWS\$NtUninstallKB2286198$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975562)-->"C:\WINDOWS\$NtUninstallKB975562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165)-->"C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977816)-->"C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978338)-->"C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978542)-->"C:\WINDOWS\$NtUninstallKB978542$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978601)-->"C:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979309)-->"C:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979482)-->"C:\WINDOWS\$NtUninstallKB979482$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979559)-->"C:\WINDOWS\$NtUninstallKB979559$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979683)-->"C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980195)-->"C:\WINDOWS\$NtUninstallKB980195$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980218)-->"C:\WINDOWS\$NtUninstallKB980218$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980232)-->"C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980436)-->"C:\WINDOWS\$NtUninstallKB980436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981852)-->"C:\WINDOWS\$NtUninstallKB981852$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981997)-->"C:\WINDOWS\$NtUninstallKB981997$\spuninst\spuninst.exe"
Security Update for Windows XP (KB982214)-->"C:\WINDOWS\$NtUninstallKB982214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB982665)-->"C:\WINDOWS\$NtUninstallKB982665$\spuninst\spuninst.exe"
Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.3-->"C:\Program Files\SpywareBlaster\unins000.exe"
Symantec AntiVirus Client-->MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
The Crop Circles Mystery-->"C:\Program Files\The Crop Circles Mystery\Uninstall.exe"
TurboTax 2008 WinPerFedFormset-->MsiExec.exe /I{7570F1CA-016D-46AC-B586-CD74645EFB52}
TurboTax 2008 WinPerProgramHelp-->MsiExec.exe /I{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}
TurboTax 2008 WinPerReleaseEngine-->MsiExec.exe /I{88214092-836F-4E22-A5AC-569AC9EE6A0F}
TurboTax 2008 WinPerTaxSupport-->MsiExec.exe /I{B23726CF-68BF-41A6-A4EB-72F12F87FE05}
TurboTax 2008 WinPerUserEducation-->MsiExec.exe /I{29521505-F489-4822-ADFA-32C6DEE4F114}
TurboTax 2008 wrapper-->MsiExec.exe /I{B1DB1AD8-C07E-4052-81A1-D2930232BA70}
TurboTax 2008-->C:\Program Files\TurboTax\Deluxe 2008\Installer\TurboTax 2008 Installer.exe /u /t /a
TurboTax 2009 wcaiper-->MsiExec.exe /I{360EDFB0-EAA2-012B-AD16-000000000000}
TurboTax 2009 WinPerFedFormset-->MsiExec.exe /I{3881DB80-EAA2-012B-ADAE-000000000000}
TurboTax 2009 WinPerReleaseEngine-->MsiExec.exe /I{38975F50-EAA2-012B-ADB4-000000000000}
TurboTax 2009 WinPerTaxSupport-->MsiExec.exe /I{38A34630-EAA2-012B-ADB6-000000000000}
TurboTax 2009 wrapper-->MsiExec.exe /I{3C5A81D0-EAA2-012B-AE9F-000000000000}
TurboTax 2009-->C:\Program Files\TurboTax\Deluxe 2009\Installer\TurboTax 2009 Installer.exe /u /t /a
Unsolved Mystery Club™: Amelia Earhart™-->"C:\Program Files\Unsolved Mystery Club - Amelia Earhart\Uninstall.exe"
Unwell Mel ™-->"C:\Program Files\Unwell Mel\Uninstall.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB971180)-->"C:\WINDOWS\ie8updates\KB971180-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB980182)-->"C:\WINDOWS\ie8updates\KB980182-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray-->"C:\WINDOWS\$NtUninstallKB952011$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Zylom Games Player Plugin-->"C:\Program Files\Zylom Games\UninstallPlugin.exe" --uninstall
======Hosts File======
::1 localhost
======System event log======
Computer Name: NBRSWS22
Event Code: 40961
Message: The Security System could not establish a secured connection with the server DNS/prisoner.iana.org. No authentication protocol was available.
Record Number: 20359
Source Name: LSASRV
Time Written: 20080206115757.000000-480
Event Type: warning
User:
Computer Name: NBRSWS22
Event Code: 40961
Message: The Security System could not establish a secured connection with the server DNS/prisoner.iana.org. No authentication protocol was available.
Record Number: 20358
Source Name: LSASRV
Time Written: 20080206105745.000000-480
Event Type: warning
User:
Computer Name: NBRSWS22
Event Code: 40961
Message: The Security System could not establish a secured connection with the server DNS/prisoner.iana.org. No authentication protocol was available.
Record Number: 20357
Source Name: LSASRV
Time Written: 20080206095744.000000-480
Event Type: warning
User:
Computer Name: NBRSWS22
Event Code: 20
Message: Printer Driver RICOH Aficio MP C4500 PCL 5c for Windows NT x86 Version-3 was added or updated. Files:- RIC541K.DLL, RIC541U.DLL, RIC541K.DLL, RIC541.HLP, RIC541P.DLL, RIC541C.DLL, RIC541L.DLL, RIC541X.DLL, RIC541S.DLL, RIC541J.DLL, RIC541Q.EXE, RIC541ZU.DLL, RIC541ZK.DLL, RIC541WU.DLL, RIC541WK.DLL, RIC541PI.DLL, RIC541SR.EXE, RIC541CF.DLL, RIC541X.EXE, TrackID.DLL, TIBase64.dll, TIFmtA.dll, RICJC32.dll, JCUI.exe.
Record Number: 20356
Source Name: Print
Time Written: 20080206092831.000000-480
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: NBRSWS22
Event Code: 20
Message: Printer Driver RICOH Aficio MP C4500 PCL 5c for Windows NT x86 Version-3 was added or updated. Files:- RIC541K.DLL, RIC541U.DLL, RIC541K.DLL, RIC541.HLP, RIC541P.DLL, RIC541C.DLL, RIC541L.DLL, RIC541X.DLL, RIC541S.DLL, RIC541J.DLL, RIC541Q.EXE, RIC541ZU.DLL, RIC541ZK.DLL, RIC541WU.DLL, RIC541WK.DLL, RIC541PI.DLL, RIC541SR.EXE, RIC541CF.DLL, RIC541X.EXE, TrackID.DLL, TIBase64.dll, TIFmtA.dll, RICJC32.dll, JCUI.exe.
Record Number: 20355
Source Name: Print
Time Written: 20080206085740.000000-480
Event Type: warning
User: NT AUTHORITY\SYSTEM
=====Application event log=====
Computer Name: NBRSWS22
Event Code: 1085
Message: The Group Policy client-side extension Scripts failed to execute. Please look for any errors reported earlier by that extension.
Record Number: 7944
Source Name: Userenv
Time Written: 20080107142929.000000-480
Event Type: error
User: NT AUTHORITY\SYSTEM
Computer Name: NBRSWS22
Event Code: 1085
Message: The Group Policy client-side extension Scripts failed to execute. Please look for any errors reported earlier by that extension.
Record Number: 7943
Source Name: Userenv
Time Written: 20080107125910.000000-480
Event Type: error
User: NT AUTHORITY\SYSTEM
Computer Name: NBRSWS22
Event Code: 1085
Message: The Group Policy client-side extension Scripts failed to execute. Please look for any errors reported earlier by that extension.
Record Number: 7942
Source Name: Userenv
Time Written: 20080107110719.000000-480
Event Type: error
User: NT AUTHORITY\SYSTEM
Computer Name: NBRSWS22
Event Code: 1085
Message: The Group Policy client-side extension Scripts failed to execute. Please look for any errors reported earlier by that extension.
Record Number: 7940
Source Name: Userenv
Time Written: 20080107092240.000000-480
Event Type: error
User: NT AUTHORITY\SYSTEM
Computer Name: NBRSWS22
Event Code: 1525
Message: Windows has detected that Offline Caching is enabled on the Roaming Profile share - to avoid potential profile corruption, Offline Caching must be disabled on shares where roaming user profiles are stored.
Record Number: 7939
Source Name: Userenv
Time Written: 20080107092231.000000-480
Event Type: warning
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"asl.log"=Destination=file;OnFirstLog=command,environment
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
-----------------EOF-----------------
Logfile of random's system information tool 1.08 (written by random/random)
Run by Tena at 2010-09-01 22:17:18
Microsoft Windows XP Professional Service Pack 3
System drive C: has 6 GB (15%) free of 38 GB
Total RAM: 510 MB (24% free)
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:19:41 PM, on 9/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\2Wire Wireless Manager\2Wire.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tena\My Documents\Downloads\RSIT.exe
C:\Program Files\trend micro\Tena.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ˙ž127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [2Wire Wireless Manager] "C:\Program Files\2Wire Wireless Manager\2Wire.exe" -a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Tena\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185993201343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185993393984
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Google Update Service (gupdate1ca170d751b90f8) (gupdate1ca170d751b90f8) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe (file missing)
--
End of file - 7810 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2004-03-15 118836]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-08-06 668656]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-08-31 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-08-31 79648]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe [2003-04-07 155648]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [2003-04-07 114688]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2004-03-15 122933]
"2Wire Wireless Manager"=C:\Program Files\2Wire Wireless Manager\2Wire.exe [2007-10-01 61440]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-03-17 421888]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-06-19 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-06-09 976832]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-07-21 141608]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-05-14 248552]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-08-06 39408]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
C:\Documents and Settings\Tena\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-04-07 315392]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2002-07-30 45056]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe"="C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour Service"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
======List of files/folders created in the last 3 months======
2010-09-01 22:17:33 ----D---- C:\Program Files\trend micro
2010-09-01 22:17:18 ----D---- C:\rsit
2010-09-01 22:08:51 ----SHD---- C:\RECYCLER
2010-09-01 22:07:57 ----D---- C:\_OTM
2010-09-01 10:09:47 ----D---- C:\Program Files\ESET
2010-08-31 10:14:24 ----D---- C:\WINDOWS\Sun
2010-08-31 10:13:48 ----A---- C:\WINDOWS\system32\javaws.exe
2010-08-31 10:13:48 ----A---- C:\WINDOWS\system32\javaw.exe
2010-08-31 10:13:48 ----A---- C:\WINDOWS\system32\java.exe
2010-08-31 10:08:42 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-08-31 10:08:38 ----D---- C:\Program Files\Common Files\Java
2010-08-31 10:08:15 ----A---- C:\WINDOWS\system32\deployJava1.dll
2010-08-31 10:07:48 ----D---- C:\Program Files\Java
2010-08-31 10:05:47 ----D---- C:\Documents and Settings\Tena\Application Data\Sun
2010-08-31 09:25:15 ----D---- C:\WINDOWS\temp
2010-08-31 09:25:08 ----A---- C:\ComboFix.txt
2010-08-31 08:58:01 ----A---- C:\WINDOWS\NIRCMD.exe
2010-08-30 21:31:01 ----A---- C:\Boot.bak
2010-08-30 21:30:54 ----RASHD---- C:\cmdcons
2010-08-30 21:26:36 ----A---- C:\WINDOWS\MBR.exe
2010-08-30 21:26:35 ----A---- C:\WINDOWS\PEV.exe
2010-08-30 21:26:34 ----A---- C:\WINDOWS\zip.exe
2010-08-30 21:26:34 ----A---- C:\WINDOWS\SWREG.exe
2010-08-30 21:26:34 ----A---- C:\WINDOWS\sed.exe
2010-08-30 21:26:34 ----A---- C:\WINDOWS\grep.exe
2010-08-30 21:26:33 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-08-30 21:26:33 ----A---- C:\WINDOWS\SWSC.exe
2010-08-30 21:24:21 ----D---- C:\Qoobox
2010-08-26 09:48:58 ----D---- C:\WINDOWS\ERDNT
2010-08-26 09:47:51 ----D---- C:\Program Files\ERUNT
2010-08-20 23:02:49 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2010-08-20 13:23:34 ----D---- C:\Program Files\Common Files\PC Tools
2010-08-20 13:23:33 ----D---- C:\Program Files\PC Tools Security
2010-08-19 15:15:36 ----A---- C:\WINDOWS\system32\lsdelete.exe
2010-08-19 13:21:10 ----A---- C:\WINDOWS\system32\drivers\Lbd.sys
2010-08-19 13:20:38 ----A---- C:\WINDOWS\system32\drivers\SBREDrv.sys
2010-08-19 13:09:28 ----D---- C:\Program Files\SpywareBlaster
2010-08-19 12:40:10 ----HDC---- C:\Documents and Settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-19 12:38:01 ----D---- C:\Program Files\Lavasoft
2010-08-19 12:38:01 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2010-08-15 03:19:15 ----HDC---- C:\WINDOWS\$NtUninstallKB982214$
2010-08-15 03:18:43 ----HDC---- C:\WINDOWS\$NtUninstallKB2115168$
2010-08-15 03:12:55 ----HDC---- C:\WINDOWS\$NtUninstallKB981852$
2010-08-15 03:12:27 ----HDC---- C:\WINDOWS\$NtUninstallKB2079403$
2010-08-15 03:06:30 ----HDC---- C:\WINDOWS\$NtUninstallKB2160329$
2010-08-15 03:06:22 ----HDC---- C:\WINDOWS\$NtUninstallKB980436$
2010-08-15 03:02:40 ----HDC---- C:\WINDOWS\$NtUninstallKB981997$
2010-08-15 03:01:39 ----HDC---- C:\WINDOWS\$NtUninstallKB982665$
2010-08-06 12:00:51 ----D---- C:\WINDOWS\system32\NtmsData
2010-08-03 03:00:59 ----HDC---- C:\WINDOWS\$NtUninstallKB2286198$
2010-07-28 08:08:17 ----D---- C:\Program Files\iPod
2010-07-28 08:07:51 ----D---- C:\Program Files\iTunes
2010-07-25 20:58:29 ----D---- C:\Program Files\The Crop Circles Mystery
2010-07-15 03:05:20 ----HDC---- C:\WINDOWS\$NtUninstallKB2229593$
2010-06-30 21:43:21 ----D---- C:\Program Files\Legacy Interactive
2010-06-30 07:57:45 ----D---- C:\Program Files\Bonjour
2010-06-28 12:32:14 ----D---- C:\Program Files\PuppetShow - Souls of the Innocent
2010-06-25 13:42:23 ----D---- C:\Program Files\Hidden Expedition_DevilsTriangle
2010-06-24 22:43:12 ----D---- C:\Program Files\Dream Chronicles
2010-06-23 00:06:11 ----D---- C:\Program Files\Midnight Mysteries - Salem Witch Trials
2010-06-17 21:34:32 ----D---- C:\Documents and Settings\Tena\Application Data\Silverback Productions
2010-06-11 03:44:13 ----HDC---- C:\WINDOWS\$NtUninstallKB980218$
2010-06-11 03:37:20 ----HDC---- C:\WINDOWS\$NtUninstallKB980195$
2010-06-11 03:32:51 ----HDC---- C:\WINDOWS\$NtUninstallKB979559$
2010-06-11 03:21:09 ----HDC---- C:\WINDOWS\$NtUninstallKB978695_WM9$
2010-06-11 03:21:02 ----HDC---- C:\WINDOWS\$NtUninstallKB979482$
2010-06-11 03:20:46 ----HDC---- C:\WINDOWS\$NtUninstallKB975562$
2010-06-02 22:05:14 ----D---- C:\Documents and Settings\Tena\Application Data\Freeze Tag
======List of files/folders modified in the last 3 months======
2010-09-01 22:17:33 ----RD---- C:\Program Files
2010-09-01 22:16:50 ----D---- C:\WINDOWS\Prefetch
2010-09-01 22:11:07 ----SD---- C:\WINDOWS\Tasks
2010-09-01 22:09:28 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-09-01 22:08:05 ----D---- C:\WINDOWS\system32\drivers\etc
2010-09-01 10:09:52 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-09-01 10:09:50 ----D---- C:\WINDOWS\system32\CatRoot2
2010-09-01 06:30:21 ----A---- C:\WINDOWS\smartkeydiagnostics.txt
2010-08-31 10:14:24 ----D---- C:\WINDOWS
2010-08-31 10:14:04 ----SHD---- C:\WINDOWS\Installer
2010-08-31 10:13:53 ----D---- C:\Config.Msi
2010-08-31 10:13:48 ----D---- C:\WINDOWS\system32
2010-08-31 10:08:38 ----D---- C:\Program Files\Common Files
2010-08-31 09:29:36 ----D---- C:\WINDOWS\system32\drivers
2010-08-31 09:10:38 ----A---- C:\WINDOWS\system.ini
2010-08-31 09:08:10 ----D---- C:\WINDOWS\system32\config
2010-08-31 09:05:50 ----D---- C:\WINDOWS\AppPatch
2010-08-30 21:31:01 ----RASH---- C:\boot.ini
2010-08-30 15:50:13 ----SHD---- C:\WINDOWS\CSC
2010-08-30 15:50:12 ----D---- C:\WINDOWS\Minidump
2010-08-28 08:33:33 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-08-20 21:48:02 ----D---- C:\WINDOWS\system32\wbem
2010-08-20 21:47:53 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-08-20 17:27:55 ----D---- C:\Documents and Settings\Tena\Application Data\Sony Online Entertainment
2010-08-20 15:36:59 ----D---- C:\WINDOWS\Registration
2010-08-20 15:36:22 ----D---- C:\Documents and Settings
2010-08-20 15:36:21 ----D---- C:\WINDOWS\WinSxS
2010-08-19 13:21:44 ----HD---- C:\WINDOWS\inf
2010-08-19 13:21:10 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-08-18 21:03:20 ----HD---- C:\Program Files\InstallShield Installation Information
2010-08-18 21:02:59 ----D---- C:\Program Files\Hasbro Interactive
2010-08-18 21:01:37 ----D---- C:\Documents and Settings\All Users\Application Data\Norton
2010-08-18 21:00:01 ----RSD---- C:\WINDOWS\Fonts
2010-08-17 18:14:59 ----D---- C:\WINDOWS\system32\Macromed
2010-08-15 03:35:00 ----RSD---- C:\WINDOWS\assembly
2010-08-15 03:24:28 ----D---- C:\WINDOWS\Microsoft.NET
2010-08-15 03:19:18 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-08-15 03:19:14 ----HD---- C:\WINDOWS\$hf_mig$
2010-08-15 03:19:10 ----A---- C:\WINDOWS\imsins.BAK
2010-08-15 03:16:33 ----A---- C:\WINDOWS\win.ini
2010-08-15 03:06:55 ----D---- C:\Program Files\Internet Explorer
2010-08-15 03:06:44 ----D---- C:\WINDOWS\ie8updates
2010-08-15 03:02:43 ----D---- C:\Program Files\Movie Maker
2010-08-06 12:38:08 ----D---- C:\Program Files\Mozilla Firefox
2010-08-03 11:09:31 ----A---- C:\WINDOWS\system32\MRT.exe
2010-08-03 08:45:20 ----D---- C:\Documents and Settings\Tena\Application Data\Big Fish Games
2010-07-28 08:08:12 ----D---- C:\Program Files\Common Files\Apple
2010-07-26 23:30:35 ----A---- C:\WINDOWS\system32\shell32.dll
2010-07-05 10:26:39 ----A---- C:\WINDOWS\hegames.ini
2010-07-05 10:26:14 ----D---- C:\hegames
2010-07-01 08:45:49 ----D---- C:\Documents and Settings\Tena\Application Data\Apple Computer
2010-06-30 22:23:02 ----SD---- C:\Documents and Settings\Tena\Application Data\Microsoft
2010-06-30 05:31:35 ----A---- C:\WINDOWS\system32\schannel.dll
2010-06-27 22:57:32 ----D---- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2010-06-26 16:40:26 ----D---- C:\Documents and Settings\Tena\Application Data\ERS G-Studio
2010-06-24 17:51:58 ----A---- C:\WINDOWS\system32\ieframe.dll
2010-06-24 05:22:03 ----A---- C:\WINDOWS\system32\wininet.dll
2010-06-24 05:22:02 ----A---- C:\WINDOWS\system32\urlmon.dll
2010-06-24 05:22:01 ----N---- C:\WINDOWS\system32\occache.dll
2010-06-24 05:22:01 ----N---- C:\WINDOWS\system32\mstime.dll
2010-06-24 05:22:01 ----A---- C:\WINDOWS\system32\mshtml.dll
2010-06-24 05:21:59 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2010-06-24 05:21:59 ----A---- C:\WINDOWS\system32\msfeeds.dll
2010-06-24 05:21:59 ----A---- C:\WINDOWS\system32\jsproxy.dll
2010-06-24 05:21:58 ----N---- C:\WINDOWS\system32\iepeers.dll
2010-06-24 05:21:58 ----A---- C:\WINDOWS\system32\iertutil.dll
2010-06-24 05:21:55 ----N---- C:\WINDOWS\system32\iedkcs32.dll
2010-06-23 05:08:09 ----N---- C:\WINDOWS\system32\ie4uinit.exe
2010-06-17 07:03:00 ----N---- C:\WINDOWS\system32\iccvid.dll
2010-06-14 00:41:45 ----A---- C:\WINDOWS\system32\msxml3.dll
2010-06-06 11:14:08 ----D---- C:\Program Files\Adobe
2010-06-06 11:11:06 ----D---- C:\Program Files\Common Files\Adobe AIR
2010-06-05 07:22:18 ----D---- C:\Program Files\Microsoft Silverlight
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R0 drvmcdb;drvmcdb; C:\WINDOWS\system32\drivers\drvmcdb.sys [2004-02-13 86160]
R0 Lbd;Lbd; C:\WINDOWS\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2004-03-03 20176]
R0 SBHR;SBHR; C:\WINDOWS\system32\drivers\sbhr.sys [2008-01-30 15280]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2004-01-14 5621]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2004-01-14 23219]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2004-02-27 40480]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2004-03-15 25685]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2004-03-15 34837]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2004-03-15 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2004-03-15 2233]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2004-03-15 85972]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2004-03-15 14229]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2004-03-15 6357]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2004-03-15 98580]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2004-03-15 100597]
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-01-15 42368]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-06-22 51088]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-06-22 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-06-22 21744]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2003-04-15 90907]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2003-07-16 12160]
R3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PCTINDIS5.SYS []
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-02-28 545024]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS); C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 477696]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
S2 NAVAPEL;NAVAPEL; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 Lavasoft Kernexplorer;Lavasoft helper driver; \??\C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys []
S3 NAVAP;NAVAP; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys []
S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20020619.005\NAVENG.sys []
S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20020619.005\NAVEX15.sys []
S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2010-04-19 41984]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-06-10 144176]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-05-18 345376]
R2 IntuitUpdateService;Intuit Update Service; C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-09-29 13088]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-08-31 153376]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2010-08-12 1355416]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-07-21 540968]
S2 DefWatch;DefWatch; C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe []
S2 gupdate1ca170d751b90f8;Google Update Service (gupdate1ca170d751b90f8); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-08-06 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-06 190448]
S2 Norton AntiVirus Server;Symantec AntiVirus Client; C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 getPlusHelper;getPlus(R) Helper; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------
Kristena
2010-09-02, 07:26
And I think the computer's running just fine. The teenagers agree!
Hi
Fix HiJackThis Entries
Open HiJackThis
Click on Do a system scan only
Place a checkmark next to these lines(if still present):O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Tena\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) Close all windows except Hijackthis and click Fix Checked
Click Yes when prompted
Close HijackThis & re-boot your computer.
I don't see any evidence of an Anti-virus program - other than what appears to be left overs from an uninstall of a Symatec product.
What are you using for Anti-virus protection?
Kristena
2010-09-02, 15:39
Sorry, where do I find HiJackThis?
Hi
Sorry about that...
It will be located at C:\Program Files\trend micro
The HijackThis executable will be renamed to Tena.exe. Double click Tina.exe to run HiJackThis
What are you using for Anti-virus protection?
Kristena
2010-09-02, 22:01
Ok, I did the HiJackThis and followed your directions and have rebooted.
As to the anti-virus, I've used AVG previously and just recently deleted it after this latest infection because other scans kept saying it was incompatible. I'm open to suggestions for an anti-virus!
Hi
OK, first let's get rid of the remnants of Symantec:
Visit the following website & choose the Norton removal Tool that is appropriate to the product you had installed:
http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN&ln=en_US
The download & install one of the following free Anti-virus products.
Anti-virus
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Download a free anti-virus software from one these excellent vendors NOW:
1) Microsoft Security Essentials (http://www.microsoft.com/security_essentials/default.aspx?mkt=en-us) - Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
2) Antivir PersonalEdition Classic (http://www.free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
3) avast! 4 Home Edition (http://files.avast.com/iavs4pro/setupeng.exe) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
Your computer must have only ONE anti-virus program installed at any time. Having more than one anti-virus program installed & active will cause program conflicts, false virus alerts, and system crashes.
Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove ComboFix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
Double-click OTM
Click the CleanUp! button
Select Yes when the Begin cleanup Process? prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it yourselfYou can delete the following from your desktop:
TFC.exe
The Gmer.exe file (it will be randomly named .exe file)
SecurityCheck.exe
Any logs that may have been saved to your desktop
Let me know how you go or of any problems before we wrap this up.
Kristena
2010-09-03, 04:21
Ok, loaded Avast and have deleted what you've asked.
Can I still have Adaware, Spybot and Sywareblaster if I use Avast?
Hi
Avast should play nicely with either Ad-Aware or Spybot. Just remember the general rule of thumb is to have only one Anti-virus program & one Anti-Spyware program running with real-time protection enabled. So that would mean only having either Ad-Aware's Ad-Watch running or Spybot's TeaTimer running at once - Not Both. This should eliminate any conflicts.
Spywareblaster won't cause any conflicts at all - Spyware Blaster isn't a scanner. It writes a pre-configured set of entries into your Registry to block the installation of known unwanted activeX controls. Make sure you keep it updated.
All Clean
Congratulations, good work, your system is now clean. Now that your system is safe we would like you to keep it that way.
Take the time to follow these recommendations & it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.
Create a Clean System Restore Point
Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and click OK
Ensure the boxes for Temporary Files & Temporary Internet Files are checked. You can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore click Clean up... and click Yes to the prompt
Click OK and Yes to confirm.
Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can download it here (http://www.besttechie.net/software/) & find a tutorial here (http://thespykiller.co.uk/index.php/topic,5946.0.html). Keep it updated & run it regularly.
Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.
Install MVPS Hosts File From Here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE (http://www.mvps.org/winhelp2002/hosts2.htm)
Web of Trust
WOT (http://www.mywot.com/), Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites: Green to go
Yellow for caution
Red to stopWOT has an addon available for both Firefox and Internet Explorer.
Install WinPatrol
Download it here (http://www.winpatrol.com/download.html)
You can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) on how to prevent Malware.
Hopefully these steps will help keep your computer clean.
Kristena
2010-09-03, 05:15
Ok. I'm working on your last instructions.
I really appreciate your time and patience. I feel so confident in this fix and I've learned a lot about my own machine. Your directions were so clear and understandable so I never felt in over my head though I was digging in the guts of an expensive machine!
Oh, earlier you told me to disable tea-timer in Spybot. Adaware is actually easier to get to (in the tray) and starts up automatically. If I understand correctly I should leave TeaTimer as it is--disabled--and just let Adaware do its thing?
Thanks again.
I'm working on your last instructions.Think of them more as recommendations than instructions :wink:
I really appreciate your time and patience. I feel so confident in this fix and I've learned a lot about my own machine. Your directions were so clear and understandable so I never felt in over my head though I was digging in the guts of an expensive machine!No problem at all... & Thank You
Oh, earlier you told me to disable tea-timer in Spybot. Adaware is actually easier to get to (in the tray) and starts up automatically. If I understand correctly I should leave TeaTimer as it is--disabled--and just let Adaware do its thing?Yes correct :)
Good Luck & Surf Safe
Since this issue appears to be resolved ... this Topic has been closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include fresh DDS & Attach logs and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or Moderator a private message (pm). A valid, working link to the closed topic is also required.