Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: My PC is surfing the web without me :D

  1. #11
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello JD the DJ ,

    My apologies, somehow the text that I copied into my reply is missing the question.

    Is this a business machine?

    --------------------

    Do an online scan with ESET Online Scanner.
    Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.
    • Click here to go to ESET Online Scanner page.
    • Click on ESET Online Scanner. A new window will open.
      For FireFox user, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
    • After reading through the Terms of Use, check YES, I accept the Terms of Use and click Start to begin scan.
    • You will be prompted to install an ActiveX Control from ESET. Please install.
    • At the Computer scan settings section, uncheck (untick) Remove found threats. <-- Important, do not remove anything yet.
    • Then, check Scan archives.
    • Now, click on Advanced settings and make sure all these are checked:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology
    • Click on Scan to proceed.
    • When done, the scan result will be shown. Look for C:\Program Files\ESET\ESET Online Scanner\log.txt and open the file.
    • Post the contents in your reply.


    If the contents of log.txt do not reflect what is shown in the result window, click on List of found threats, then Export to text file..., save a file and post that instead.

    --------------------

    Please post back:
    1. the answer to my question about your computer
    2. the ESET result

  2. #12
    Member
    Join Date
    May 2009
    Posts
    40

    Default

    1) No, it is my old PC. Currently, I only use it for DJ gigs.

    2) I will start the ESET scan process tonight and post log tomorrow,

    Also, since the run of ComboFix finished (~9 hours ago), no cookies or files have appeared in the sub-folders of "C:\Documents and Settings\NetworkService\...", and, I have not seen an overactive svchost process.

    However, when I re-started TeaTimer, more TeaTimer notifications popped up than I was expecting (I was only expecting the one notification: that the registry item for TeaTimer itself had been changed). The first few that appeared, since I did not know what they referred to, I "denied", then the rest I "allowed", figuring they were made by the run of ComboFix.


    Just in case....
    This is the list of items (denied/allowed) from the Spybot Resident TeaTimer log that were made today after re-starting TeaTimer (after the completion of ComboFix)
    --------------------------------------------------------------------------
    2/20/2011 1:23:17 PM Allowed (based on user decision) value "SpybotSD TeaTimer" (new data: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
    2/20/2011 1:23:58 PM Denied (based on user decision) value "NoDriveTypeAutoRun" (new data: "323") changed in System Startup user entry!
    2/20/2011 1:24:12 PM Denied (based on user decision) value "NoDriveAutoRun" (new data: "67108863") changed in System Startup user entry!
    2/20/2011 1:24:14 PM Denied (based on user decision) value "NoDrives" (new data: "0") added in System Startup user entry!
    2/20/2011 1:24:27 PM Allowed (based on user decision) value "Locked" (new data: "") deleted in Global browser toolbar!
    2/20/2011 1:25:04 PM Denied (based on user decision) value "Search Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch") changed in Browser page!
    2/20/2011 1:25:18 PM Allowed (based on user decision) value "Search Bar" (new data: "") deleted in Browser page!
    2/20/2011 1:25:21 PM Allowed (based on user decision) value "SearchAssistant" (new data: "") deleted in Browser page!
    2/20/2011 1:25:27 PM Allowed (based on user decision) value "AutoRun" (new data: "") deleted in Command processor!
    2/20/2011 1:25:30 PM Allowed (based on user decision) value "load" (new data: "") deleted in NT startup!
    2/20/2011 1:25:35 PM Allowed (based on user decision) value "run" (new data: "") deleted in NT startup!
    2/20/2011 1:25:39 PM Allowed (based on user decision) value "TaskMan" (new data: "") deleted in Winlogon!
    2/20/2011 1:25:54 PM Allowed (based on user decision) value "DisableRegistryTools" (new data: "0") added in Disable Registrytool!

  3. #13
    Member
    Join Date
    May 2009
    Posts
    40

    Default ESET Scan log

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=ae03d67303722242aebde56bbfcf4142
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2011-02-21 09:26:30
    # local_time=2011-02-21 02:26:30 (-0700, Mountain Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=768 16777215 100 0 83117137 83117137 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=209359
    # found=4
    # cleaned=0
    # scan_time=10197
    C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\30\2085d9de-58f5b47b multiple threats (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{2FBDD646-1C51-4A2F-BAC7-61534B6F1CAE}\RP1667\A0215072.dll a variant of Win32/Kryptik.KIQ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{2FBDD646-1C51-4A2F-BAC7-61534B6F1CAE}\RP1692\A0220172.dll Win32/TrojanProxy.Agent.NGY trojan (unable to clean) 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{2FBDD646-1C51-4A2F-BAC7-61534B6F1CAE}\RP1692\A0220173.exe a variant of Win32/TrojanDownloader.FraudLoad.NAJ trojan (unable to clean) 00000000000000000000000000000000 I

  4. #14
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello JD the DJ ,

    Yes, those are changes made by ComboFix. Please allow the changes for the following run.

    I see that you have uninstall Adobe Reader using Revo Uninstaller. You might want to remove this remnant as well:
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)

    --------------------

    Your Firefox browser is outdated. Older versions have security vulnerabilities that can be exploited.

    Please update your Firefox browser to the latest. You may need to use Internet Explorer temporarily for this, or download the program first before continuing the uninstall step.
    It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

    Mozilla Firefox (3.5.13)

    • Go to the Mozilla Firefox download page. Click here.
    • Click on the Free Download button and save the setup file to a convenient location.
    • Double click on the setup file and follow the steps accordingly.


    --------------------

    A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use. Do not mouse click on ComboFix while it is running. That may cause it to stall.

    Run ComboFix script
    • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
    • If you need help to disable your protection programs see here and here.
    • Open Notepad. Copy and paste the following text into it:
      Code:
      File::
      C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\30\2085d9de-58f5b47b
      
      Firefox::
      FF - ProfilePath - c:\documents and settings\Dana\Application Data\Mozilla\Firefox\Profiles\e9buyb2s.default\
      FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
      FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
      FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
      FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
      FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
      FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
      FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
      FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
      FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
      FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    • Save it as CFScript.txt at the desktop. Make sure the Save as type: is All Files (*.*).


    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix may request an update, please allow it.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, a log will be produced as C:\ComboFix.txt. Copy and paste the contents of the log in your next reply.
    • If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
    • Enable back your security softwares as soon as you completed the ComboFix steps.


    --------------------

    The remainder of the online scan's findings include items located in C:\System Volume Information\ where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore.

    We shall be taking care of them during the final cleanup.

    When you complete all the above steps, please rerun DDS and post back the latest result.

    --------------------

    Please post back:
    1. the ComboFix log
    2. DDS log
    3. any more problems?

  5. #15
    Member
    Join Date
    May 2009
    Posts
    40

    Default

    1) Was unable to remove Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    None of the programs listed it (Add/Remove ; Revo ; Spybot; or, CCleaner)

    2) Downloaded Firefox 3.6.13 setup; Uninstalled old Firefox; Installed new version of Firefox.

    3) Disabled TeaTimer. (When I opened Spybot, the box to enable it was not checked. It should have been. I checked the box and closed Spybot. I received the notification about Spybot registry change plus others relating to Firewall Access. I denied those that I knew were not on PC any longer or had no idea what they were (for ex. AVG7 and mmc.exe). I opened Spybot and un-checked TeaTimer, then closed Spybot. I opened Spybot again and checked the box. Closed Spybot. Again received Firewall Access registry changes to (most of) the same ones as before. Opened Spybot to disable TeaTimer to run CFScript.)

    4) Ran the CFScript, log is pasted below.

    5) Re-Enabled TeaTimer (Again received notifications re: Firewall Access)

    6) Ran DDS, log pasted below. (When I first tried to run DDS, the black box would appear for about one second, then disappear. Tried to run it a few times, all had same result. Shutdown PC (and waited for 14 MS updates to install) and re-started PC. When I logged on, received TeaTimer notifications re: Firewall Access. But, was now able to run DDS)

    7) As to other problems:
    - The TeaTimer notifications for Firewall Access for programs that have been removed from my PC (some were removed years ago).
    - There is a new User folder that was created the day of the infection (or shortly after). It is called "Administrator.[full computer name]". There is already a User folder called "Administrator".
    - However, the PC seems to be running even better than before being infected. For ex., an svchost process (User Name: Network Service) would run 100% CPU for 10+ minutes when first logging on. That has not happened since running ComboFix the first time.

    8) Here are the requested logs:

    CFScript log
    ----------------------------------------------------------------------------------------------------------------------------------------------------


    ComboFix 11-02-21.02 - Dana 02/22/2011 0:17.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.152 [GMT -7:00]
    Running from: c:\documents and settings\Dana\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Dana\Desktop\CFScript.txt

    FILE ::
    "c:\documents and settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\30\2085d9de-58f5b47b"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\30\2085d9de-58f5b47b
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome.manifest
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\install.rdf
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome.manifest
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\install.rdf
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome.manifest
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\install.rdf
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome.manifest
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\install.rdf
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome.manifest
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\install.rdf
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome.manifest
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\install.rdf
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome.manifest
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\install.rdf
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome.manifest
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\install.rdf
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome.manifest
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\install.rdf
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome.manifest
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\install.rdf
    C:\Thumbs.db
    c:\windows\Downloaded Program Files\popcaploader.dll
    c:\windows\Downloaded Program Files\popcaploader.inf

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-22 to 2011-02-22 )))))))))))))))))))))))))))))))
    .

    2011-02-21 06:30 . 2011-02-21 06:30 -------- d-----w- c:\program files\ESET
    2011-02-20 23:06 . 2011-02-20 23:06 -------- d-----w- c:\windows\LastGood
    2011-02-19 11:50 . 2011-02-19 11:51 -------- d-----w- c:\program files\ERUNT
    2011-02-17 17:19 . 2011-02-17 17:19 -------- d-----w- c:\windows\system32\NtmsData
    2011-02-15 23:45 . 2011-02-15 23:45 -------- d-----w- c:\program files\Microsoft Easy Assist
    2011-02-15 17:56 . 2011-02-15 17:56 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-01-27 08:25 . 2011-01-27 08:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-01-27 03:26 . 2011-01-28 04:47 -------- d-----w- c:\documents and settings\Administrator.DBARKER2

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-21 01:09 . 2008-10-31 12:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-21 01:08 . 2008-10-31 12:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2006-07-03 11:11 . 2006-07-03 11:12 774144 ----a-w- c:\program files\RngInterstitial.dll
    2003-08-27 21:19 . 2004-01-31 23:08 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]

    c:\documents and settings\Dana\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-23 813584]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "JavaQuickStarterService"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "NapsterShell"=c:\program files\Napster\napster.exe /systray

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/23/2009 6:56 PM 10384]
    R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [1/27/2004 9:49 AM 1025288]
    R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [4/8/2003 9:56 AM 820133]
    S3 CallerIP;Visualware CallerIP;c:\program files\CallerIP\cip-nt.exe --> c:\program files\CallerIP\cip-nt.exe [?]
    S4 IdcPHid;IdeaCom HID Touch Screen Driver (PS/2);c:\windows\system32\DRIVERS\idcphid.sys --> c:\windows\system32\DRIVERS\idcphid.sys [?]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - uphcleanhlp
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:42]

    2011-02-21 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-05-04 21:31]

    2011-02-21 c:\windows\Tasks\User_Feed_Synchronization-{7255A037-42F1-4F10-A6F1-8A5588174281}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
    TCP: {1C4D6999-8C34-4831-9E85-397740327027} = 208.67.222.222,208.67.220.220
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - hxxp://mediaplayer.walmart.com/installer/install.cab
    FF - ProfilePath -
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-22 00:29
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1417001333-1935655697-1202660629-1004\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(556)
    c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    c:\program files\common files\logishrd\bluetooth\LBTServ.dll
    .
    Completion time: 2011-02-22 00:35:41
    ComboFix-quarantined-files.txt 2011-02-22 07:35
    ComboFix2.txt 2011-02-20 19:30

    Pre-Run: 19,094,921,216 bytes free
    Post-Run: 19,083,902,976 bytes free

    Current=4 Default=4 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
    - - End Of File - - 04632BA1ED6D14C79A013D557BBBF7D1


    ----------------------------------------------------------------------------------------------------------------------------------------------------

    DDS log



    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Dana at 1:36:55.84 on Tue 02/22/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.156 [GMT -7:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\system32\netdde.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Dana\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://google.com/
    BHO: AutorunsDisabled - No File
    BHO: Yahoo! IE Suggest - No File
    BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} -
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    StartupFolder: c:\docume~1\dana\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    IE: {59A861EE-32B3-42cd-8CCA-FC130EDF3A44}
    IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
    IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
    IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://ra.qwest.com/sdccommon/download/tgctlcm.cab
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
    DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
    DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
    DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.napster.com/client/setup.exe
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
    DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - hxxp://mediaplayer.walmart.com/installer/install.cab
    DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241209576118
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38013.4351041667
    DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
    DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
    TCP: {1C4D6999-8C34-4831-9E85-397740327027} = 208.67.222.222,208.67.220.220
    Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath -

    ============= SERVICES / DRIVERS ===============

    R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-1-23 10384]
    R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2004-1-27 1025288]
    R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2003-4-8 820133]
    S3 CallerIP;Visualware CallerIP;c:\program files\callerip\cip-nt.exe --> c:\program files\callerip\cip-nt.exe [?]
    S4 IdcPHid;IdeaCom HID Touch Screen Driver (PS/2);c:\windows\system32\drivers\idcphid.sys --> c:\windows\system32\drivers\idcphid.sys [?]

    =============== Created Last 30 ================

    2011-02-21 06:30:52 -------- d-----w- c:\program files\ESET
    2011-02-20 18:31:59 -------- d-sha-r- C:\cmdcons
    2011-02-20 18:24:26 98816 ----a-w- c:\windows\sed.exe
    2011-02-20 18:24:26 89088 ----a-w- c:\windows\MBR.exe
    2011-02-20 18:24:26 256512 ----a-w- c:\windows\PEV.exe
    2011-02-20 18:24:26 161792 ----a-w- c:\windows\SWREG.exe
    2011-02-17 17:19:33 -------- d-----w- c:\windows\system32\NtmsData
    2011-02-15 23:45:59 -------- d-----w- c:\program files\Microsoft Easy Assist

    ==================== Find3M ====================

    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2006-07-03 11:11:44 774144 ----a-w- c:\program files\RngInterstitial.dll
    2003-08-27 21:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll

    ============= FINISH: 1:39:25.88 ===============

  6. #16
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello JD the DJ ,

    The problem you are experiencing is most likely caused by Teatimer remembering old changes and interfering with DDS.

    To reset TeaTimer so that it does not remember any previous entries:

    1. Edit the entries that TeaTimer uses to automatically "Allow" or "Deny" changes that were based on the use of "Remember this decision" as follows:


      • Right click on the TeaTimer system tray icon and select Settings. This will bring up TeaTimer's "White & Black List". There are four (4) Buttons across the top of the "White & Black List":
        • Allowed processes
        • Blocked processes
        • Allowed registry changes
        • Blocked registry changes

          Note: If you don't see all four buttons, try expanding the window to the right.


      • The entries that you should review are in "Allowed registry changes" and "Blocked registry changes". You can delete entries by clicking on the scripted black "X" to the right of the entry that you want to delete and then clicking the "OK" button when you're done. This will in effect make TeaTimer forget what you told it to remember so that during future changes to these items TeaTimer will issue a pop-up dialog rather then just a notification pop-up.


    2. Reset TeaTimers snapshot files:


      • TeaTimer takes snapshots of Registry entries and compares these with the Registry at startup. Until these snapshots are updated you are likely to get pop-ups (at startup) of changes you made in the past. In other words, TeaTimer attempts to return the Registry to the state it was in when the snapshot was taken. This happens primarily when you reboot the system. To refresh TeaTimer's snapshot files:
        • Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
          • TeaTimer closes.
          • TeaTimer's snapshot files are refreshed at this time.
        • Restart TeaTimer:
          • Using Windows Explorer, navigate to C:\Program Files\Spybot - Search & Destroy.
          • Double click TeaTimer.exe to start it.


    --------------------

    For the Adobe entry, I think you can leave it alone since none of the uninstallers are seeing it.

    The new user folder should post no harm as well.

    --------------------

    Please ensure Teatimer is reset according to my above instructions and disabled before continue below.

    A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use. Do not mouse click on ComboFix while it is running. That may cause it to stall.

    Run ComboFix script
    • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
    • If you need help to disable your protection programs see here and here.
    • Open Notepad. Copy and paste the following text into it:
      Code:
      DDS::
      BHO: AutorunsDisabled - No File
      BHO: Yahoo! IE Suggest - No File
      BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} -
      TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
      TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
      TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
      EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
      IE: {59A861EE-32B3-42cd-8CCA-FC130EDF3A44}
      IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
      IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
      IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
    • Save it as CFScript.txt at the desktop. Make sure the Save as type: is All Files (*.*).


    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix may request an update, please allow it.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, a log will be produced as C:\ComboFix.txt. Copy and paste the contents of the log in your next reply.
    • If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
    • Enable back your security softwares as soon as you completed the ComboFix steps.


    --------------------

    Please post back:
    1. the ComboFix log
    2. fresh DDS log

  7. #17
    Member
    Join Date
    May 2009
    Posts
    40

    Default

    Pasted below are:
    1) CFScript log
    2) DDS log

    CFScript log
    --------------------------------------------------------------------------------------------------------------------------------------------
    ComboFix 11-02-22.01 - Dana 02/22/2011 18:22:34.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.210 [GMT -7:00]
    Running from: c:\documents and settings\Dana\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Dana\Desktop\CFScript.txt
    .

    ((((((((((((((((((((((((( Files Created from 2011-01-23 to 2011-02-23 )))))))))))))))))))))))))))))))
    .

    2011-02-21 06:30 . 2011-02-21 06:30 -------- d-----w- c:\program files\ESET
    2011-02-19 11:50 . 2011-02-19 11:51 -------- d-----w- c:\program files\ERUNT
    2011-02-17 17:19 . 2011-02-17 17:19 -------- d-----w- c:\windows\system32\NtmsData
    2011-02-15 23:45 . 2011-02-15 23:45 -------- d-----w- c:\program files\Microsoft Easy Assist
    2011-02-15 17:56 . 2011-02-15 17:56 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-01-27 08:25 . 2011-01-27 08:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-01-27 03:26 . 2011-01-28 04:47 -------- d-----w- c:\documents and settings\Administrator.DBARKER2

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-21 14:44 . 2003-03-31 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2003-03-31 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2003-03-31 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2003-03-31 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-21 01:09 . 2008-10-31 12:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-21 01:08 . 2008-10-31 12:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-20 23:59 . 2004-02-07 00:05 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2003-03-31 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26 . 2003-03-31 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2003-03-31 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2003-03-31 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:38 . 2003-03-31 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2002-08-29 01:04 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2006-07-03 11:11 . 2006-07-03 11:12 774144 ----a-w- c:\program files\RngInterstitial.dll
    2003-08-27 21:19 . 2004-01-31 23:08 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2011-02-22_07.29.12 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2003-03-31 12:00 . 2010-11-06 00:26 66560 c:\windows\system32\mshtmled.dll
    + 2003-03-31 12:00 . 2010-12-20 23:59 66560 c:\windows\system32\mshtmled.dll
    - 2006-11-08 04:03 . 2010-11-06 00:26 55296 c:\windows\system32\msfeedsbs.dll
    + 2006-11-08 04:03 . 2010-12-20 23:59 55296 c:\windows\system32\msfeedsbs.dll
    + 2003-03-31 12:00 . 2010-12-20 23:59 25600 c:\windows\system32\jsproxy.dll
    - 2003-03-31 12:00 . 2010-11-06 00:26 25600 c:\windows\system32\jsproxy.dll
    + 2009-06-20 01:37 . 2010-12-20 23:59 12800 c:\windows\system32\dllcache\xpshims.dll
    - 2009-06-20 01:37 . 2010-11-06 00:26 12800 c:\windows\system32\dllcache\xpshims.dll
    + 2006-05-10 05:23 . 2010-12-20 23:59 66560 c:\windows\system32\dllcache\mshtmled.dll
    - 2006-05-10 05:23 . 2010-11-06 00:26 66560 c:\windows\system32\dllcache\mshtmled.dll
    + 2007-05-09 21:00 . 2010-12-20 23:59 55296 c:\windows\system32\dllcache\msfeedsbs.dll
    - 2007-05-09 21:00 . 2010-11-06 00:26 55296 c:\windows\system32\dllcache\msfeedsbs.dll
    - 2006-10-17 19:05 . 2010-11-06 00:26 43520 c:\windows\system32\dllcache\licmgr10.dll
    + 2006-10-17 19:05 . 2010-12-20 23:59 43520 c:\windows\system32\dllcache\licmgr10.dll
    - 2006-05-10 05:22 . 2010-11-06 00:26 25600 c:\windows\system32\dllcache\jsproxy.dll
    + 2006-05-10 05:22 . 2010-12-20 23:59 25600 c:\windows\system32\dllcache\jsproxy.dll
    + 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
    - 2009-12-14 07:08 . 2009-12-14 07:08 33280 c:\windows\system32\dllcache\csrsrv.dll
    + 2011-02-22 08:14 . 2010-11-06 00:26 12800 c:\windows\ie8updates\KB2482017-IE8\xpshims.dll
    + 2011-02-22 08:14 . 2010-11-06 00:26 66560 c:\windows\ie8updates\KB2482017-IE8\mshtmled.dll
    + 2011-02-22 08:14 . 2010-11-06 00:26 55296 c:\windows\ie8updates\KB2482017-IE8\msfeedsbs.dll
    + 2011-02-22 08:14 . 2010-11-06 00:26 43520 c:\windows\ie8updates\KB2482017-IE8\licmgr10.dll
    + 2011-02-22 08:14 . 2010-11-06 00:26 25600 c:\windows\ie8updates\KB2482017-IE8\jsproxy.dll
    - 2003-03-31 12:00 . 2010-11-06 00:26 206848 c:\windows\system32\occache.dll
    + 2003-03-31 12:00 . 2010-12-20 23:59 206848 c:\windows\system32\occache.dll
    - 2003-03-31 12:00 . 2010-11-06 00:26 611840 c:\windows\system32\mstime.dll
    + 2003-03-31 12:00 . 2010-12-20 23:59 611840 c:\windows\system32\mstime.dll
    + 2006-11-08 04:03 . 2010-12-20 23:59 602112 c:\windows\system32\msfeeds.dll
    - 2006-11-08 04:03 . 2010-11-06 00:26 602112 c:\windows\system32\msfeeds.dll
    - 2003-03-31 12:00 . 2010-11-06 00:26 184320 c:\windows\system32\iepeers.dll
    + 2003-03-31 12:00 . 2010-12-20 23:59 184320 c:\windows\system32\iepeers.dll
    + 2003-03-31 12:00 . 2010-12-20 23:59 387584 c:\windows\system32\iedkcs32.dll
    - 2003-03-31 12:00 . 2010-11-06 00:26 387584 c:\windows\system32\iedkcs32.dll
    + 2003-03-31 12:00 . 2010-12-20 12:55 173568 c:\windows\system32\ie4uinit.exe
    - 2003-03-31 12:00 . 2010-11-03 12:26 173568 c:\windows\system32\ie4uinit.exe
    + 2004-01-23 17:51 . 2011-02-22 08:28 263824 c:\windows\system32\FNTCACHE.DAT
    - 2004-01-23 17:51 . 2010-12-19 06:37 263824 c:\windows\system32\FNTCACHE.DAT
    - 2004-02-07 00:05 . 2010-11-06 00:26 916480 c:\windows\system32\dllcache\wininet.dll
    + 2004-02-07 00:05 . 2010-12-20 23:59 916480 c:\windows\system32\dllcache\wininet.dll
    + 2011-01-21 14:44 . 2011-01-21 14:44 439296 c:\windows\system32\dllcache\shimgvw.dll
    + 2006-10-17 19:04 . 2010-12-20 23:59 206848 c:\windows\system32\dllcache\occache.dll
    - 2006-10-17 19:04 . 2010-11-06 00:26 206848 c:\windows\system32\dllcache\occache.dll
    + 2009-05-01 20:30 . 2010-12-09 15:15 718336 c:\windows\system32\dllcache\ntdll.dll
    - 2006-05-10 05:23 . 2010-11-06 00:26 611840 c:\windows\system32\dllcache\mstime.dll
    + 2006-05-10 05:23 . 2010-12-20 23:59 611840 c:\windows\system32\dllcache\mstime.dll
    + 2007-05-09 21:00 . 2010-12-20 23:59 602112 c:\windows\system32\dllcache\msfeeds.dll
    - 2007-05-09 21:00 . 2010-11-06 00:26 602112 c:\windows\system32\dllcache\msfeeds.dll
    + 2009-05-01 20:30 . 2010-12-20 17:26 730112 c:\windows\system32\dllcache\lsasrv.dll
    - 2009-05-01 20:30 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
    + 2009-06-25 08:25 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll
    - 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
    - 2009-06-20 01:37 . 2010-11-06 00:26 247808 c:\windows\system32\dllcache\ieproxy.dll
    + 2009-06-20 01:37 . 2010-12-20 23:59 247808 c:\windows\system32\dllcache\ieproxy.dll
    + 2006-05-10 05:22 . 2010-12-20 23:59 184320 c:\windows\system32\dllcache\iepeers.dll
    - 2006-05-10 05:22 . 2010-11-06 00:26 184320 c:\windows\system32\dllcache\iepeers.dll
    + 2010-07-30 19:30 . 2010-12-20 23:59 743424 c:\windows\system32\dllcache\iedvtool.dll
    - 2010-07-30 19:30 . 2010-11-06 00:26 743424 c:\windows\system32\dllcache\iedvtool.dll
    + 2006-11-07 10:27 . 2010-12-20 23:59 387584 c:\windows\system32\dllcache\iedkcs32.dll
    - 2006-11-07 10:27 . 2010-11-06 00:26 387584 c:\windows\system32\dllcache\iedkcs32.dll
    + 2006-11-07 10:26 . 2010-12-20 12:55 173568 c:\windows\system32\dllcache\ie4uinit.exe
    - 2006-11-07 10:26 . 2010-11-03 12:26 173568 c:\windows\system32\dllcache\ie4uinit.exe
    - 2010-04-20 05:30 . 2010-10-28 13:13 290048 c:\windows\system32\dllcache\atmfd.dll
    + 2010-04-20 05:30 . 2011-01-07 14:09 290048 c:\windows\system32\dllcache\atmfd.dll
    + 2011-02-22 08:14 . 2010-11-06 00:26 916480 c:\windows\ie8updates\KB2482017-IE8\wininet.dll
    + 2011-02-22 08:14 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2482017-IE8\spuninst\updspapi.dll
    + 2011-02-22 08:14 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2482017-IE8\spuninst\spuninst.exe
    + 2011-02-22 08:14 . 2010-11-06 00:26 206848 c:\windows\ie8updates\KB2482017-IE8\occache.dll
    + 2011-02-22 08:14 . 2010-11-06 00:26 611840 c:\windows\ie8updates\KB2482017-IE8\mstime.dll
    + 2011-02-22 08:14 . 2010-11-06 00:26 602112 c:\windows\ie8updates\KB2482017-IE8\msfeeds.dll
    + 2011-02-22 08:14 . 2010-11-06 00:26 247808 c:\windows\ie8updates\KB2482017-IE8\ieproxy.dll
    + 2011-02-22 08:14 . 2010-11-06 00:26 184320 c:\windows\ie8updates\KB2482017-IE8\iepeers.dll
    + 2011-02-22 08:14 . 2010-11-06 00:26 743424 c:\windows\ie8updates\KB2482017-IE8\iedvtool.dll
    + 2011-02-22 08:14 . 2010-11-06 00:26 387584 c:\windows\ie8updates\KB2482017-IE8\iedkcs32.dll
    + 2011-02-22 08:14 . 2010-11-03 12:26 173568 c:\windows\ie8updates\KB2482017-IE8\ie4uinit.exe
    + 2011-02-22 08:32 . 2011-02-22 08:32 266240 c:\windows\ERDNT\AutoBackup\2-22-2011\Users\00000002\UsrClass.dat
    + 2011-02-22 08:32 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\2-22-2011\ERDNT.EXE
    + 2004-01-21 23:20 . 2010-12-20 23:59 1210880 c:\windows\system32\urlmon.dll
    - 2004-01-21 23:20 . 2010-11-06 00:26 1210880 c:\windows\system32\urlmon.dll
    - 2004-07-16 21:15 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
    + 2004-07-16 21:15 . 2011-01-21 14:44 8462336 c:\windows\system32\shell32.dll
    + 2004-07-08 00:37 . 2010-12-20 23:59 5961216 c:\windows\system32\mshtml.dll
    - 2006-10-17 18:57 . 2010-11-06 00:26 1991680 c:\windows\system32\iertutil.dll
    + 2006-10-17 18:57 . 2010-12-20 23:59 1991680 c:\windows\system32\iertutil.dll
    + 2008-10-14 19:17 . 2010-12-31 13:10 1854976 c:\windows\system32\dllcache\win32k.sys
    + 2004-01-21 23:20 . 2010-12-20 23:59 1210880 c:\windows\system32\dllcache\urlmon.dll
    - 2004-01-21 23:20 . 2010-11-06 00:26 1210880 c:\windows\system32\dllcache\urlmon.dll
    - 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
    + 2008-06-17 19:02 . 2011-01-21 14:44 8462336 c:\windows\system32\dllcache\shell32.dll
    + 2008-10-14 19:17 . 2010-12-09 13:38 2192768 c:\windows\system32\dllcache\ntoskrnl.exe
    + 2008-10-14 19:17 . 2010-12-09 13:07 2027008 c:\windows\system32\dllcache\ntkrpamp.exe
    + 2008-10-14 19:17 . 2010-12-09 13:07 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe
    + 2008-10-14 19:17 . 2010-12-09 13:42 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe
    + 2006-05-19 15:08 . 2010-12-20 23:59 5961216 c:\windows\system32\dllcache\mshtml.dll
    - 2007-05-09 21:01 . 2010-11-06 00:26 1991680 c:\windows\system32\dllcache\iertutil.dll
    + 2007-05-09 21:01 . 2010-12-20 23:59 1991680 c:\windows\system32\dllcache\iertutil.dll
    + 2011-02-22 08:14 . 2010-11-06 00:26 1210880 c:\windows\ie8updates\KB2482017-IE8\urlmon.dll
    + 2011-02-22 08:14 . 2010-11-06 00:26 5959168 c:\windows\ie8updates\KB2482017-IE8\mshtml.dll
    + 2011-02-22 08:14 . 2010-11-06 00:26 1991680 c:\windows\ie8updates\KB2482017-IE8\iertutil.dll
    + 2008-10-14 19:17 . 2010-12-09 13:38 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe
    + 2008-10-14 19:17 . 2010-12-09 13:07 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe
    + 2008-10-14 19:17 . 2010-12-09 13:07 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe
    + 2008-10-14 19:17 . 2010-12-09 13:42 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe
    + 2005-05-13 20:03 . 2011-02-22 08:15 37443528 c:\windows\system32\MRT.exe
    + 2006-11-08 04:03 . 2010-12-21 12:29 11080704 c:\windows\system32\ieframe.dll
    - 2006-11-08 04:03 . 2010-11-06 00:26 11080704 c:\windows\system32\ieframe.dll
    - 2007-05-09 21:00 . 2010-11-06 00:26 11080704 c:\windows\system32\dllcache\ieframe.dll
    + 2007-05-09 21:00 . 2010-12-21 12:29 11080704 c:\windows\system32\dllcache\ieframe.dll
    + 2011-02-22 08:14 . 2010-11-06 00:26 11080704 c:\windows\ie8updates\KB2482017-IE8\ieframe.dll
    + 2011-02-22 08:32 . 2011-02-22 08:32 17768448 c:\windows\ERDNT\AutoBackup\2-22-2011\Users\00000001\ntuser.dat
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]

    c:\documents and settings\Dana\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-23 813584]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "JavaQuickStarterService"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "NapsterShell"=c:\program files\Napster\napster.exe /systray

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/23/2009 6:56 PM 10384]
    R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [1/27/2004 9:49 AM 1025288]
    R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [4/8/2003 9:56 AM 820133]
    S3 CallerIP;Visualware CallerIP;c:\program files\CallerIP\cip-nt.exe --> c:\program files\CallerIP\cip-nt.exe [?]
    S4 IdcPHid;IdeaCom HID Touch Screen Driver (PS/2);c:\windows\system32\DRIVERS\idcphid.sys --> c:\windows\system32\DRIVERS\idcphid.sys [?]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - uphcleanhlp
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:42]

    2011-02-22 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-05-04 21:31]

    2011-02-22 c:\windows\Tasks\User_Feed_Synchronization-{7255A037-42F1-4F10-A6F1-8A5588174281}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
    TCP: {1C4D6999-8C34-4831-9E85-397740327027} = 208.67.222.222,208.67.220.220
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - hxxp://mediaplayer.walmart.com/installer/install.cab
    FF - ProfilePath -
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-22 18:33
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1417001333-1935655697-1202660629-1004\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(556)
    c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    c:\program files\common files\logishrd\bluetooth\LBTServ.dll

    - - - - - - - > 'explorer.exe'(3372)
    c:\windows\system32\WININET.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-02-22 18:40:09
    ComboFix-quarantined-files.txt 2011-02-23 01:40
    ComboFix2.txt 2011-02-22 07:35
    ComboFix3.txt 2011-02-20 19:30

    Pre-Run: 18,733,899,776 bytes free
    Post-Run: 18,734,149,632 bytes free

    Current=4 Default=4 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
    - - End Of File - - BA8E7F5551C34A2EA167A8A149915AD1

    DDS log
    ---------------------------------------------------------------------------------------------------------------------------------------

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Dana at 18:55:32.75 on Tue 02/22/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.170 [GMT -7:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\system32\netdde.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Documents and Settings\Dana\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://google.com/
    BHO: AutorunsDisabled - No File
    BHO: Yahoo! IE Suggest - No File
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    StartupFolder: c:\docume~1\dana\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    IE: {59A861EE-32B3-42cd-8CCA-FC130EDF3A44}
    IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
    IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://ra.qwest.com/sdccommon/download/tgctlcm.cab
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
    DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
    DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
    DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.napster.com/client/setup.exe
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
    DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - hxxp://mediaplayer.walmart.com/installer/install.cab
    DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241209576118
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38013.4351041667
    DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
    DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
    TCP: {1C4D6999-8C34-4831-9E85-397740327027} = 208.67.222.222,208.67.220.220
    Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath -

    ============= SERVICES / DRIVERS ===============

    R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-1-23 10384]
    R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2004-1-27 1025288]
    R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2003-4-8 820133]
    S3 CallerIP;Visualware CallerIP;c:\program files\callerip\cip-nt.exe --> c:\program files\callerip\cip-nt.exe [?]
    S4 IdcPHid;IdeaCom HID Touch Screen Driver (PS/2);c:\windows\system32\drivers\idcphid.sys --> c:\windows\system32\drivers\idcphid.sys [?]

    =============== Created Last 30 ================

    2011-02-21 06:30:52 -------- d-----w- c:\program files\ESET
    2011-02-20 18:31:59 -------- d-sha-r- C:\cmdcons
    2011-02-20 18:24:26 98816 ----a-w- c:\windows\sed.exe
    2011-02-20 18:24:26 89088 ----a-w- c:\windows\MBR.exe
    2011-02-20 18:24:26 256512 ----a-w- c:\windows\PEV.exe
    2011-02-20 18:24:26 161792 ----a-w- c:\windows\SWREG.exe
    2011-02-17 17:19:33 -------- d-----w- c:\windows\system32\NtmsData
    2011-02-15 23:45:59 -------- d-----w- c:\program files\Microsoft Easy Assist

    ==================== Find3M ====================

    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2006-07-03 11:11:44 774144 ----a-w- c:\program files\RngInterstitial.dll
    2003-08-27 21:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll

    ============= FINISH: 18:57:13.09 ===============

  8. #18
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello JD the DJ ,

    How is the computer behaving now? Did the Teatimer reset go well?

  9. #19
    Member
    Join Date
    May 2009
    Posts
    40

    Default

    Looking good.
    Except for the same 5 MS updates that keep getting installed every time I shut PC down (KB982524, KB983583, KB2418241, KB982168, KB979909)

    TeaTimer reset went well.

  10. #20
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello JD the DJ ,

    Looks like a Microsoft.NET Framework problem and quite common. See if these help:
    http://support.microsoft.com/kb/910339
    http://support.microsoft.com/kb/976982

    --------------------

    Congratulations, you are All Clear to go. Glad to hear everything is good and running . If you have any more problems, please let me know.

    Now we need to clear out the programs we have been using to clean up your computer. They are not suitable for general malware removal and could cause damage if used inappropriately.
    • Go to Start > Run.... Copy and paste the following text into the white box:
      ComboFix /uninstall
      Click OK.
    • Delete the USBNoRisk and Rootkit Unhooker files on your desktop.
    • Delete any logs on the desktop.


    Some tips to help you stay clean and safe:

    1. Keep your Windows up to date. Enable Automatic Updates for Windows XP to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.

    2. Update your Antivirus program regularly, it is a must for constant protection against viruses. If you do not have one, Microsoft Security Essentials, Avast and Avira are some great and free antivirus programs that you can try. For paid versions, Avast, ESET NOD32 and Kaspersky are some good options. Please keep only one AV installed.

    3. Install Malwarebytes' Anti-Malware if you haven't and use it occasionally. It is a new and powerful anti-malware tool, totally free but for real-time protection you will have to pay a small one-time fee.

    4. Install WinPatrol, a great protection program that helps you monitor for unwanted files or applications.

    5. Use a hosts file to block the access of bad sites from your computer. Get yourself a MVPS Hosts for this purpose.

    6. Install Web of Trust (WOT). WOT keeps you from dangerous websites with warnings and blockings.

    7. Protect your computer from removable or USB drive infections with Panda USB Vaccine, an effective method to prevent malware from spreading.

    8. Keep all your softwares updated. Visit Secunia Software Inspector to find out if any updates required.

    9. If you have been a victim of malware before, Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

    10. Also look up:
    Computer Security - a short guide to staying safer online
    PC Safety and Security - What Do I Need? By Glaswegian
    How to prevent malware: By miekiemoes
    So how did I get infected in the first place? By Tony Klein
    Microsoft Online Safety

    Stay safe.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •