Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: HelpAssistant folder

  1. #1
    Junior Member
    Join Date
    Jan 2010
    Posts
    6

    Default HelpAssistant folder

    Hello,

    I have an unknown HelpAssistant folder on my C:\Documents and Settings.
    Malwarebytes, SuperAntiSpyware and AVG removed some things. Spybot did not find anything.
    I've unchecked the HelpAssistant in the Computer management tool and deleted the HelpAssistant folder: after restarting it reappears.

    I've tried to run Safe Mode (for the spyware tools) but then a blue screen appears, normal start-up is no problem.

    My laptop is running quite slow, seems that there is always some process running in the background.

    System: Microsoft Windows XP professional edition v2002 SP3.

    Thank you for your help.

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.


    Download GMER here by clicking download exe -button and then saving it your desktop:
    • Double-click .exe that you downloaded
    • Click rootkit-tab and then scan.
    • Don't check
      Show All
      box while scanning in progress!
    • When scanning is ready, click Copy.
    • This copies log to clipboard
    • Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Jan 2010
    Posts
    6

    Default

    Thank you for your support and sorry for my late reply.
    Before your post, I've found via google how to solve this problem with fix mbr.
    I did this and now everything seems fine.

    I would appreciate it if you could do a quick check though (if there are maybe any hidden things left).

    Thanks,
    Mark

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Ok, if you want me to check then please post those requested logs
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Junior Member
    Join Date
    Jan 2010
    Posts
    6

    Default

    I've tried to run GMER twice but the first time I ended up with a blue screen and the second time my pc froze.
    I will try again.

    Below and attached the logs from DDS:

    DDS (Ver_09-12-01.01) - NTFSx86
    Run by makke at 11:40:16,09 on wo 03-02-2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
    Microsoft Windows XP Professional 5.1.2600.3.1252.31.1033.18.1022.587 [GMT 1:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\AVG\avgchsvx.exe
    svchost.exe
    C:\Program Files\AVG\avgrsx.exe
    svchost.exe
    C:\Program Files\AVG\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\WDBtnMgr.exe
    C:\Program Files\Labtec\Mouse\V3.0\moffice.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\AVG\avgtray.exe
    C:\Program Files\Labtec\Mouse\V3.0\MOUSE32A.EXE
    C:\PROGRA~1\ALICET~1\vendors\AliceRE\content\template\DRIVEN~1\syncer\MCCITR~1.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
    C:\Program Files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
    C:\Program Files\AVG\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Wave Systems Corp\Common\DataServer.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Telecom Italia\WanMiniport1st\srvany.exe
    C:\Program Files\Telecom Italia\WanMiniport1st\WanMiniport1st_srv.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\AVG\avgemc.exe
    C:\Program Files\AVG\avgcsrvx.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Documents and Settings\pip\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.it/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyServer = 193.191.148.227:3127
    uInternet Settings,ProxyOverride = 127.0.0.1;192.168.1.1;*.local
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    TB: {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - No File
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" -"http://wbs.paginegialle.it/vservice/visual_shock.html?prjQuery=F1152A5E5CA495857926286B9B3E6AD7&initDataset=italia&initCoordX=467166.4627390145&initCoordY=5068834.556504496&sWidth=1240&sHeight=500"
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /installquiet
    mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
    mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
    mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [Synchronization Manager] mobsync.exe /logon
    mRun: [WD Button Manager] WDBtnMgr.exe
    mRun: [FLMOFFICE4DMOUSE] c:\program files\labtec\mouse\v3.0\moffice.exe
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [AVG9_TRAY] c:\progra~1\avg\avgtray.exe
    mRun: [AliceRE_McciTrayApp] c:\progra~1\alicet~1\vendors\alicere\content\template\driven~1\syncer\MCCITR~1.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\outloo~1.lnk - c:\program files\paypal payment request wizard\outlook wizard\OEHook.exe
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
    IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
    IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
    IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
    IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
    DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} - hxxp://www.streamplug.com/StreamPlug/beta/SP.cab
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
    DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/32.72/uploader2.cab
    DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://verkopen.marktplaats.nl/js/widgets/imageUploader/aurigma/5_7_24_0/ImageUploader5.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229433515703
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229433502453
    DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://belgacom.extrafilm.be/ImageUploader4.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
    DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: avgrsstarter - avgrsstx.dll
    AppInit_DLLs: wxvault.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
    SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora pro\EuShlExt.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    LSA: Authentication Packages = msv1_0 wvauth
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\pip\applic~1\mozilla\firefox\profiles\o12307pq.default\
    FF - prefs.js: browser.startup.homepage - hxxp://stat.northitaly.eu/
    FF - component: c:\documents and settings\pip\application data\mozilla\firefox\profiles\o12307pq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1808.5272\npCIDetect14.dll
    FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-30 333192]
    R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-12-18 28424]
    R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-30 360584]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
    R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\supportappxl\cdrom_mon.exe [2009-12-3 81920]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avgemc.exe [2009-11-12 906520]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avgwdsvc.exe [2009-11-12 285392]
    R2 Network WanMiniport First Position;Network WanMiniport First Position;c:\program files\telecom italia\wanminiport1st\srvany.exe [2010-1-4 8192]
    R2 PPPoEService;PPPoE Service;c:\progra~1\alice\alicee~1\app\pppoeservice.exe [2009-12-17 49152]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
    R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-27 31896]
    R3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;c:\windows\system32\drivers\ntspppoe.sys [2009-12-16 161640]
    S2 gupdate1c985e6b2870e1c;Google Update Service (gupdate1c985e6b2870e1c);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
    S2 ONDA Autorun CDROM Monitor;ONDA Autorun CDROM Monitor;c:\windows\system32\supportappxl\onda_mon.exe --> c:\windows\system32\supportappxl\onda_mon.exe [?]
    S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    S3 {1098D678-AB61-4746-8F8FCF470F2CB976};{1098D678-AB61-4746-8F8FCF470F2CB976};c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
    S3 BulkUsb;VoIPUSBDriver.sys;c:\windows\system32\drivers\VoIPUSBDriver.sys [2005-9-16 149504]
    S3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windows\system32\drivers\ONDAusbmdm6k.sys [2009-12-3 104960]
    S3 ONDAusbnet;ONDA USB-NDIS miniport;c:\windows\system32\drivers\ONDAusbnet.sys [2009-12-3 110080]
    S3 ONDAusbnmea;ONDA NMEA Port;c:\windows\system32\drivers\ONDAusbnmea.sys [2009-12-3 104960]
    S3 ONDAusbser6k;ONDA Diagnostic Port;c:\windows\system32\drivers\ONDAusbser6k.sys [2009-12-3 104960]
    S3 OxUSBTIMOUT;OxUSBTIMOUT;c:\windows\system32\drivers\OxUSBTIMOUT.sys [2007-6-7 34152]
    S3 RAWESR;RAWESR;c:\progra~1\alice\alicee~1\app\RAWESR.SYS [2009-12-17 12924]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
    S3 SNPP106;PC Camera (6029 CIF);c:\windows\system32\drivers\snpp106.sys [2006-12-27 243328]
    S3 TAPBIND;TAPBIND;c:\progra~1\alice\alicee~1\app\TAPBIND1.SYS [2009-12-17 44544]

    =============== Created Last 30 ================

    2010-01-24 10:22:40 0 d-----w- c:\docume~1\pip\applic~1\Zanichelli
    2010-01-24 10:22:24 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
    2010-01-24 10:15:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Zanichelli
    2010-01-22 13:08:28 0 d-----w- c:\program files\OpenXML-ODF Translator
    2010-01-21 08:27:29 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-01-21 08:27:17 0 d-----w- c:\program files\SUPERAntiSpyware
    2010-01-21 08:27:17 0 d-----w- c:\docume~1\pip\applic~1\SUPERAntiSpyware.com
    2010-01-21 08:26:51 0 d-----w- c:\program files\common files\Wise Installation Wizard
    2010-01-11 15:32:43 512 ----a-w- C:\drmHeader.bin
    2010-01-08 19:09:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
    2010-01-08 19:09:15 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
    2010-01-07 13:42:01 350720 ----a-w- C:\hjsplit.exe
    2010-01-04 22:27:36 0 d-----w- c:\program files\iPod
    2010-01-04 22:27:19 0 d-----w- c:\program files\iTunes
    2010-01-04 22:27:19 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2010-01-04 20:20:10 0 d-----w- c:\windows\Motive
    2010-01-04 20:19:50 0 d-----w- c:\program files\common files\Motive
    2010-01-04 20:17:57 0 d-----w- c:\program files\Telecom Italia

    ==================== Find3M ====================

    2010-02-01 22:52:21 76324 ----a-w- c:\windows\system32\nvModes.dat
    2010-01-07 15:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 15:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
    2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
    2009-11-12 10:46:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2008-07-31 15:48:14 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008073120080801\index.dat

    ============= FINISH: 11:40:45,42 ===============

  6. #6
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Please see if you're able to run GMER by deselecting sections, devices and files before clicking scan.

    Are you familiar with this proxy server:
    uInternet Settings,ProxyServer = 193.191.148.227:3127
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #7
    Junior Member
    Join Date
    Jan 2010
    Posts
    6

    Default

    I think the proxy server you're mentioning is a remainder of the µtorrent program (which has been uninstalled).

    GMER seems quite a nasty program as it keeps freezing up my pc.
    I did manage to save the log:

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-02-04 09:40:34
    Windows 5.1.2600 Service Pack 3
    Running: 6jh25cic.exe; Driver: C:\DOCUME~1\pip\LOCALS~1\Temp\pxtdypob.sys


    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\NOTEPAD.EXE[1828] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A12E70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\NOTEPAD.EXE[1828] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A12C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\NOTEPAD.EXE[1828] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A12C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\NOTEPAD.EXE[1828] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A12C40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\Explorer.EXE[1968] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00E32E70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\Explorer.EXE[1968] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00E32C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\Explorer.EXE[1968] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00E32C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\Explorer.EXE[1968] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00E32C40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
    IAT C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00B72E70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
    IAT C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00B72C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
    IAT C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00B72C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
    IAT C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3636] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00B72C40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
    IAT C:\Documents and Settings\pip\Desktop\6jh25cic.exe[5808] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [004E2E70] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
    IAT C:\Documents and Settings\pip\Desktop\6jh25cic.exe[5808] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [004E2C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
    IAT C:\Documents and Settings\pip\Desktop\6jh25cic.exe[5808] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [004E2C50] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)
    IAT C:\Documents and Settings\pip\Desktop\6jh25cic.exe[5808] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [004E2C40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech Inc.)

    ---- EOF - GMER 1.0.15 ----

    Thank you very much,
    Mark

  8. #8
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Ok. Let's clear the proxy setting. In Internet Explorer do this:
    1. Click tools->internet options
    2. In Internet options window go to connections tab and click lan settings button.
    3. Clear address and port fields in proxy server section. Uncheck also "Use a proxy server for your LAN" checkbox.
    4. Click ok twice to close both windows.

    Are you using Adobe Acrobat Professional for other duties than to convert documents to pdf files?

    Uninstall your current Adobe shockwave player and get the fresh one here if needed.

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 18.
    • Click the
      Download
      button to the right.
    • Select Windows on platform combobox and check the box that says:
      Accept License Agreement. Click continue.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.




    Download ATF (Atribune Temp File) Cleanerİ by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


    Post back its report & a fresh dds.txt log. How's the system running?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #9
    Junior Member
    Join Date
    Jan 2010
    Posts
    6

    Default

    I'm basically using Adobe Acrobat Professional only to convert documents to pdf files.

    My system is running fine, only the start-up is a bit slow lately.

    Requested logs below:

    KAS:
    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Sunday, February 7, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Saturday, February 06, 2010 21:07:01
    Records in database: 3442232
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\

    Scan statistics:
    Objects scanned: 216062
    Threats found: 5
    Infected objects found: 6
    Suspicious objects found: 24
    Scan duration: 05:36:01


    File name / Threat / Threats count
    C:\Documents and Settings\pip\Application Data\Sun\Java\Deployment\cache\6.0\26\650996da-14a1f344 Infected: Trojan-Downloader.Java.Agent.ab 1
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.60 1
    C:\Program Files\Qualcomm\Eudora Pro\In.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 11
    C:\Program Files\Qualcomm\Eudora Pro\In.mbx Infected: Email-Worm.Win32.Mydoom.a 2
    C:\Program Files\Qualcomm\Eudora Pro\In.mbx Suspicious: Password-protected-EXE 1
    C:\Program Files\Qualcomm\Eudora Pro\In.mbx.001 Suspicious: Exploit.HTML.Iframe.FileDownload 3
    C:\Program Files\Qualcomm\Eudora Pro\In.mbx.002 Suspicious: Exploit.HTML.Iframe.FileDownload 8
    C:\Program Files\Qualcomm\Eudora Pro\In.mbx.002 Infected: Email-Worm.Win32.Mydoom.a 2
    C:\Program Files\Qualcomm\Eudora Pro\In.mbx.002 Suspicious: Password-protected-EXE 1

    Selected area has been scanned.



    DDS:

    DDS (Ver_09-12-01.01) - NTFSx86
    Run by makke at 9:10:36,93 on zo 07/02/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Professional 5.1.2600.3.1252.32.1033.18.1022.654 [GMT 1:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    C:\Program Files\AVG\avgchsvx.exe
    C:\Program Files\AVG\avgrsx.exe
    C:\Program Files\AVG\avgcsrvx.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
    C:\Program Files\AVG\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Wave Systems Corp\Common\DataServer.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
    C:\Program Files\Telecom Italia\WanMiniport1st\srvany.exe
    C:\Program Files\Telecom Italia\WanMiniport1st\WanMiniport1st_srv.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\AVG\avgemc.exe
    C:\Program Files\AVG\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\WDBtnMgr.exe
    C:\Program Files\Labtec\Mouse\V3.0\moffice.exe
    C:\PROGRA~1\AVG\avgtray.exe
    C:\PROGRA~1\ALICET~1\vendors\AliceRE\content\template\DRIVEN~1\syncer\MCCITR~1.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Labtec\Mouse\V3.0\MOUSE32A.EXE
    C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\pip\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.it/
    uInternet Connection Wizard,ShellNext = iexplore
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    TB: {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - No File
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" -"http://wbs.paginegialle.it/vservice/visual_shock.html?prjQuery=F1152A5E5CA495857926286B9B3E6AD7&initDataset=italia&initCoordX=467166.4627390145&initCoordY=5068834.556504496&sWidth=1240&sHeight=500"
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /installquiet
    mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
    mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
    mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [Synchronization Manager] mobsync.exe /logon
    mRun: [WD Button Manager] WDBtnMgr.exe
    mRun: [FLMOFFICE4DMOUSE] c:\program files\labtec\mouse\v3.0\moffice.exe
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [AVG9_TRAY] c:\progra~1\avg\avgtray.exe
    mRun: [AliceRE_McciTrayApp] c:\progra~1\alicet~1\vendors\alicere\content\template\driven~1\syncer\MCCITR~1.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\outloo~1.lnk - c:\program files\paypal payment request wizard\outlook wizard\OEHook.exe
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
    IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
    IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
    IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
    IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
    DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} - hxxp://www.streamplug.com/StreamPlug/beta/SP.cab
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
    DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/32.72/uploader2.cab
    DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://verkopen.marktplaats.nl/js/widgets/imageUploader/aurigma/5_7_24_0/ImageUploader5.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229433515703
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229433502453
    DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://belgacom.extrafilm.be/ImageUploader4.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: avgrsstarter - avgrsstx.dll
    AppInit_DLLs: wxvault.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
    SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora pro\EuShlExt.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    LSA: Authentication Packages = msv1_0 wvauth
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\pip\applic~1\mozilla\firefox\profiles\o12307pq.default\
    FF - prefs.js: browser.startup.homepage - hxxp://stat.northitaly.eu/
    FF - component: c:\documents and settings\pip\application data\mozilla\firefox\profiles\o12307pq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1851.5542\npCIDetect14.dll
    FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-30 333192]
    R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-12-18 28424]
    R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-30 360584]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
    R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\supportappxl\cdrom_mon.exe [2009-12-3 81920]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avgemc.exe [2009-11-12 906520]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avgwdsvc.exe [2009-11-12 285392]
    R2 Network WanMiniport First Position;Network WanMiniport First Position;c:\program files\telecom italia\wanminiport1st\srvany.exe [2010-1-4 8192]
    R2 PPPoEService;PPPoE Service;c:\progra~1\alice\alicee~1\app\pppoeservice.exe [2009-12-17 49152]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
    R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-27 31896]
    R3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;c:\windows\system32\drivers\ntspppoe.sys [2009-12-16 161640]
    S2 gupdate1c985e6b2870e1c;Google Update Service (gupdate1c985e6b2870e1c);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
    S2 ONDA Autorun CDROM Monitor;ONDA Autorun CDROM Monitor;c:\windows\system32\supportappxl\onda_mon.exe --> c:\windows\system32\supportappxl\onda_mon.exe [?]
    S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    S3 {1098D678-AB61-4746-8F8FCF470F2CB976};{1098D678-AB61-4746-8F8FCF470F2CB976};c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
    S3 BulkUsb;VoIPUSBDriver.sys;c:\windows\system32\drivers\VoIPUSBDriver.sys [2005-9-16 149504]
    S3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windows\system32\drivers\ONDAusbmdm6k.sys [2009-12-3 104960]
    S3 ONDAusbnet;ONDA USB-NDIS miniport;c:\windows\system32\drivers\ONDAusbnet.sys [2009-12-3 110080]
    S3 ONDAusbnmea;ONDA NMEA Port;c:\windows\system32\drivers\ONDAusbnmea.sys [2009-12-3 104960]
    S3 ONDAusbser6k;ONDA Diagnostic Port;c:\windows\system32\drivers\ONDAusbser6k.sys [2009-12-3 104960]
    S3 OxUSBTIMOUT;OxUSBTIMOUT;c:\windows\system32\drivers\OxUSBTIMOUT.sys [2007-6-7 34152]
    S3 RAWESR;RAWESR;c:\progra~1\alice\alicee~1\app\RAWESR.SYS [2009-12-17 12924]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
    S3 SNPP106;PC Camera (6029 CIF);c:\windows\system32\drivers\snpp106.sys [2006-12-27 243328]
    S3 TAPBIND;TAPBIND;c:\progra~1\alice\alicee~1\app\TAPBIND1.SYS [2009-12-17 44544]

    =============== Created Last 30 ================

    2010-02-05 11:12:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-01-24 10:22:40 0 d-----w- c:\docume~1\pip\applic~1\Zanichelli
    2010-01-24 10:22:24 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
    2010-01-24 10:15:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Zanichelli
    2010-01-22 13:08:28 0 d-----w- c:\program files\OpenXML-ODF Translator
    2010-01-21 08:27:29 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-01-21 08:27:17 0 d-----w- c:\program files\SUPERAntiSpyware
    2010-01-21 08:27:17 0 d-----w- c:\docume~1\pip\applic~1\SUPERAntiSpyware.com
    2010-01-21 08:26:51 0 d-----w- c:\program files\common files\Wise Installation Wizard
    2010-01-11 15:32:43 512 ----a-w- C:\drmHeader.bin
    2010-01-08 19:09:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
    2010-01-08 19:09:15 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

    ==================== Find3M ====================

    2010-02-06 18:10:26 76324 ----a-w- c:\windows\system32\nvModes.dat
    2010-02-05 11:12:05 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-01-07 15:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 15:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
    2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
    2009-11-12 10:46:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2008-07-31 15:48:14 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008073120080801\index.dat

    ============= FINISH: 9:11:51,03 ===============

  10. #10
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    I'm basically using Adobe Acrobat Professional only to convert documents to pdf files.
    Your Adobe Acrobat version is not supported anymore. Either upgrade to the latest one or replace old one with a free alternative here.


    Delete C:\Documents and Settings\pip\Application Data\Sun\Java\Deployment\cache\6.0\26\650996da-14a1f344 file if found.

    Check email messages in these mail boxes and delete suspicious looking messages if found any:
    C:\Program Files\Qualcomm\Eudora Pro\In.mbx
    C:\Program Files\Qualcomm\Eudora Pro\In.mbx.001
    C:\Program Files\Qualcomm\Eudora Pro\In.mbx.002


    My system is running fine, only the start-up is a bit slow lately.
    Have you defragged the hard drive recently?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •