Hijacked XP computer/HJT log

Status
Not open for further replies.
Ken,
I am no longer experiencing those types of problems. I still feel like a bit paranoid however. I have read here in the past that explore.exe is not something good - wrong or right? There is a program that I never used on the computer that is constantly trying to run and its parent program according to this firewall is explorer.exe.

I am going to delete the file you mentioned.

Before I posted on the forum, spybot had detected and deleted some viruses or trojans, but I cannot recall what they were
 
Deleted the file iis6.BAK and btw don't use BitComet, my son asked me to download it for him, zip and forward because his old computer would not download anything for awhile it was very old. So I did that and forgot about it, but just deleted it as well.
 
explore.exe <--This is part of Internet Explorer

explorer.exe <-- This is legit also but should be in C:\windows and a couple of backup folders, if its anywhere else it could be bad

Go to Start > Search > all files and folders and plug each one in one at a time and post the results


As far as being paranoid, the only way to cure that is to do a complete format of your hard drive and a clean install of windows. Why do you not have a windows or recovery disk ? You can contact the manufacturer of your system and order one
 
I know ignorance is no excuse, but when they stopped sending the machines without the discs, I never pursued it.

I am running that search for explorer.exe, but must say I NEVER use IE, so I don't know why it is asking to run so much. Fortunately, during this process, at your recommendation, I downloaded the firewall and now I see it happening. There were times when the computer completely locked up that there were at least two explorer.exe programs running at the same time.
 
These are the explorer.exe files that turned up ....

explorer.exe C:\WINDOWS
explorer.exe C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e
EXPLORER.EXE-082F38A9.pf C:\WINDOWS\Prefetch
Download guard for Internet Explorer.exe C:\Program Files\Lavasoft\Ad-Aware
 
Donna,

These are all fine and legit

explorer.exe C:\WINDOWS
explorer.exe C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e
EXPLORER.EXE-082F38A9.pf C:\WINDOWS\Prefetch
Download guard for Internet Explorer.exe C:\Program Files\Lavasoft\Ad-Aware


I am not following a lot of what your saying, you need to provide more detail


but when they stopped sending the machines without the discs, I never pursued it. All manufacturers provide disks, most of them come with a recover disk and disks for the drivers for your system in case you need to do a reinstall


but must say I NEVER use IE,
This doesn't matter, the files will still be present



I NEVER use IE, so I don't know why it is asking to run so much. What is asking to run so much


I downloaded the firewall and now I see it happening What do you see happening?
 
but when they stopped sending the machines without the discs, I never pursued it. All manufacturers provide disks, most of them come with a recover disk and disks for the drivers for your system in case you need to do a reinstall
Click to expand...
Unfortunately Ken that is not correct. I am the proud owner of an HP Pavilion dv 8327d Entertainment Notebook Computer and the material I am reading is as follows: "Restore your System Without Discs - Your computer includes a new system recovery feature that does not require CDs or DVDs. You may burn your own recovery discs by going to Start>All programs>System Recovery>PC Recovery Disc Creator ORTo repair or restore from the hard drive restart computer and press f11 when prompted.

but must say I NEVER use IE,
This doesn't matter, the files will still be present
Click to expand...
I undertand the files will be there but why is explorer.exe running when I am not using internet explorer?



I NEVER use IE, so I don't know why it is asking to run so much. What is asking to run so much
Click to expand...
I chose to block Internet Explorer with the new firewall and it is indicating that programs using explorer.exe want to run and is looking for me to authorize explorer.exe.


I downloaded the firewall and now I see it happening What do you see happening?
Click to expand...
I never saw all the activity centered around this program running and now I do.



By the way .... I tried to run spybot before and when I went to update it choked on the malware update and then froze on me.
 
Unfortunately Ken that is not correct. I am the proud owner of an HP Pavilion dv 8327d Entertainment Notebook Computer and the material I am reading is as follows: "Restore your System Without Discs - Your computer includes a new system recovery feature that does not require CDs or DVDs. You may burn your own recovery discs by going to Start>All programs>System Recovery>PC Recovery Disc Creator ORTo repair or restore from the hard drive restart computer and press f11 when prompted.

You never stated this in the beginning, you told me reinstalling windows was not an option because you did not have the disks





I undertand the files will be there but why is explorer.exe running when I am not using internet explorer?

explorer runs your desktop, it handles many tasks and is always active




I chose to block Internet Explorer with the new firewall and it is indicating that programs using explorer.exe want to run and is looking for me to authorize explorer.exe.

There are a lot of legit programs that use IE to get updates, you should let it have access




I never saw all the activity centered around this program running and now I do.

There is a ton of activity going on on a computer all the time, you never noticed it before without a firewall. Most is ok, but if its something you dont know...Google it before you allow permission




http://forums.spybot.info/forumdisplay.php?f=4
You can post here in the Spybot forum and they can help you with installing it






Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Click to expand...


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.6
    Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  • IE-Spyad
    IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


Safe Surfn
Ken
 
Thank you Ken ...

Sorry .... I did not know restore and reinstalling Windows was the same thing! I honestly don't know when to pick a restore point where the computer was fine ...

Do you think when I do the restore that the Ad Aware freebie program is worth keeping since since I will install those other recommended programs?

One last thing. On my son's infected computer, if I cant get the internet to begin working with someone in the forum, what would the process be?

Thank you for your help!!!
Donna:thanks:
 
Donna,

Doing a system restore basically just restores your computer back to a date you choose, but most times if serious malware is installed doing a restore wont remove it.

Using the utility they installed, you can use it to do a clean install of window, by doing that you will be guaranteed that any infections are gone. If you decide to do that you need to back up any photos or documents to a CD or External hard drive ( Costco has them for around $50 ) because with a reinstall you will loose everything. That partition they installed has the option to revert your system back to factory defaults as it was when the day you got it.

If you decide to do that, you can post here , this is our sister site and they can help you through the process
http://forums.whatthetech.com/Microsoft_Windows_f119.html


Remember not to post to the same thread for two different computers so you can post here in the same forum but for networking for your sons computer and they can help you get online.
http://forums.whatthetech.com/Networking_f128.html

Once they get your sons computer online, you can start a new thread here at Safer and one of us will reply to it and try to clean it up

Good Luck,

Ken :)
 
Sadly still not resolved despite the new firewall and router reset they are connected to my computer via wireless connection. I saw the network today do not know how.... Key logger?
 
Hi Donna,

Got the BBQ out yet ?

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
Lol the weather is that nice??? I am at work
I will do the combofix when I get home and post. Please be mindful of the fact that I am NOT trying to work on my sons computer problem in this post but his is seriously compromised with virus and it is wireless and he shares the network. I am wondering if they compromise the network through his machine?
 
I am wondering if they compromise the network through his machine?
Click to expand...
Oh Yeah, big time.

I take computers home to work on and before I go online with them with my router I make sure there 100% clean. Prior to that I download any programs I need to my own computer and transfer them by CD to the infected one. There are infections going around that will infect external hard drives, flash or thumb drives, routers, a CD is ok as they cant infect that.

What you should do is shut down your sons computer, pull the network cable and just leave it be until its cleaned, this could wind up being a vicious circle and we wont get anywhere
 
Here is the combofix log first and HJT to follow

ComboFix 10-03-09.04 - Donna McKnight 03/09/2010 19:44:54.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.153 [GMT -5:00]
Running from: c:\documents and settings\Donna McKnight\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Donna McKnight\Start Menu\Programs\StartUp\MagicDisc.lnk
c:\windows\EventSystem.log
c:\windows\system32\bszip.dll
c:\windows\system32\tmp.reg
c:\windows\system32\Vbshell.tlb

.
((((((((((((((((((((((((( Files Created from 2010-02-10 to 2010-03-10 )))))))))))))))))))))))))))))))
.

2010-03-06 04:45 . 2010-03-10 00:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-06 04:45 . 2010-03-06 04:45 -------- d-----w- c:\program files\Sophos
2010-03-06 01:47 . 2010-03-06 04:48 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-06 01:47 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-06 01:01 . 2010-03-06 04:33 -------- d-----w- C:\ie-spyad
2010-03-06 00:51 . 2010-03-06 04:33 -------- d-----w- c:\program files\SpywareGuard
2010-03-06 00:37 . 2010-03-06 04:33 -------- d-----w- c:\program files\SpywareBlaster
2010-03-04 13:08 . 2010-03-06 00:52 -------- d-----w- c:\windows\Logs
2010-03-04 02:45 . 2010-03-04 02:46 -------- d-----w- C:\rsit
2010-03-03 12:52 . 2010-03-03 12:52 -------- d-----w- C:\_OTM
2010-03-03 00:30 . 2010-03-03 00:30 439816 ----a-w- c:\documents and settings\Donna McKnight\Application Data\Real\Update\setup3.10\setup.exe
2010-02-25 12:03 . 2010-03-06 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2010-02-25 12:03 . 2010-03-06 02:12 -------- d-----w- c:\documents and settings\Donna McKnight\Application Data\OnlineArmor
2010-02-25 12:02 . 2009-12-05 12:28 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-02-25 12:02 . 2009-12-05 12:27 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-02-25 12:02 . 2009-12-05 12:27 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-02-25 12:02 . 2010-02-25 12:02 -------- d-----w- c:\program files\Tall Emu
2010-02-25 06:06 . 2010-03-09 11:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-25 06:06 . 2010-03-09 11:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-25 06:06 . 2010-03-09 11:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-25 06:06 . 2010-03-09 11:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-25 06:06 . 2010-03-09 11:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-25 06:06 . 2010-03-09 11:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-25 06:06 . 2010-03-09 11:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-25 06:05 . 2010-03-09 11:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-25 06:05 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-25 06:05 . 2010-02-25 06:05 -------- d-----w- c:\program files\Alwil Software
2010-02-25 06:05 . 2010-02-25 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-25 04:54 . 2007-08-20 18:38 26376 ----a-w- c:\windows\system32\drivers\vet-filt.sys
2010-02-25 04:54 . 2007-08-20 18:38 21128 ----a-w- c:\windows\system32\drivers\vet-rec.sys
2010-02-23 03:17 . 2010-02-23 03:17 -------- d-----w- c:\documents and settings\Donna McKnight\Application Data\Malwarebytes
2010-02-23 03:17 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-23 03:17 . 2010-02-23 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-23 03:17 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 03:17 . 2010-03-06 04:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 04:18 . 2010-03-06 04:37 -------- d-----w- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 11:59 . 2008-12-24 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-06 04:47 . 2006-12-08 17:43 -------- d-----w- c:\program files\CA
2010-03-06 04:45 . 2009-08-12 23:50 -------- d-----w- c:\program files\iTunes
2010-03-06 04:44 . 2010-01-29 16:26 -------- d-----w- c:\program files\QuickTime
2010-03-06 04:44 . 2007-07-08 21:41 -------- d-----w- c:\program files\Common Files\Apple
2010-03-06 04:37 . 2008-11-02 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-06 04:33 . 2007-11-17 04:55 -------- d-----w- c:\program files\BitComet
2010-03-06 01:56 . 2006-06-05 11:48 143584 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 01:48 . 2010-01-07 05:45 -------- d-----w- c:\program files\Lavasoft
2010-03-04 02:51 . 2010-01-23 02:35 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-24 14:16 . 2009-10-03 01:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 14:32 . 2006-06-05 12:23 -------- d-----w- c:\program files\Google
2010-02-05 14:36 . 2010-01-08 04:57 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-02-05 14:36 . 2010-01-08 04:55 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-05 14:36 . 2010-01-08 04:55 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-02-04 15:53 . 2010-01-07 20:31 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-29 16:41 . 2006-12-09 05:47 -------- d-----w- c:\documents and settings\Donna McKnight\Application Data\Apple Computer
2010-01-29 03:55 . 2010-01-29 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-29 03:50 . 2006-12-09 05:44 -------- d-----w- c:\program files\iPod
2010-01-29 02:35 . 2010-01-08 04:55 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-29 02:35 . 2010-01-08 04:55 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-29 01:27 . 2010-01-29 01:27 3584 ----a-r- c:\documents and settings\Donna McKnight\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-01-29 01:27 . 2010-01-29 01:27 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-01-29 01:24 . 2010-01-29 01:24 -------- d-----w- c:\program files\MSECACHE
2010-01-10 18:46 . 2006-06-05 12:05 -------- d-----w- c:\program files\Microsoft Works
2010-01-09 20:34 . 2010-01-09 20:34 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-01-05 10:00 . 2004-08-10 15:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 15:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 15:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:14 . 2005-05-10 08:17 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 12:58 . 2004-08-10 15:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-10 15:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2007-02-16 13:21 . 2007-02-16 13:21 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-15 7561216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-15 86016]
"nwiz"="nwiz.exe" [2006-04-15 1519616]
"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 151552]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 188416]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 228088]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-17 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-12-05 6622920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-11-8 73728]

c:\documents and settings\Donna McKnight\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-4-7 217190]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-10 98304]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-10-26 811008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Donna McKnight^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=c:\documents and settings\Donna McKnight\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/7/2010 3:31 PM 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/25/2010 1:06 AM 162640]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2/25/2010 7:02 AM 223312]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2/25/2010 7:02 AM 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2/25/2010 7:02 AM 29776]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/25/2010 1:06 AM 19024]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2/25/2010 7:02 AM 1282248]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2/25/2010 7:02 AM 3291336]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1228208]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/22/2010 10:17 PM 38224]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3B8.tmp --> c:\windows\system32\3B8.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2010-03-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:52]

2010-01-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.shopping.hp.com/webapp/shopping/generic_subcategory.do?storeName=storefronts&landing=storefronts&category=esp_notebooks&subcat1=esp_notebooks&catLevel=2
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Donna McKnight\Application Data\Mozilla\Firefox\Profiles\f4s6oqka.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT411384&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.rr.com/
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Donna McKnight\Application Data\Mozilla\Firefox\Profiles\f4s6oqka.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCltInstall.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsview.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverCure - c:\program files\ParetoLogic\DriverCure\DriverCure.exe
HKLM-Run-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Ahead\nero\uninstall\UNNERO.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3B8.tmp"
.
Completion time: 2010-03-09 20:02:27
ComboFix-quarantined-files.txt 2010-03-10 01:02
ComboFix2.txt 2008-04-12 22:29
ComboFix3.txt 2008-04-12 20:12

Pre-Run: 51,320,598,528 bytes free
Post-Run: 51,251,044,352 bytes free

- - End Of File - - C9360E8F7740F033BAADEB3DB5EB3E82
 
Hjt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:45 PM, on 3/9/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Donna McKnight\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.shopping.hp.com/webapp/s...sp_notebooks&subcat1=esp_notebooks&catLevel=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.online.library.marist.edu/lib/marist/support/plugins/ebraryRdr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1262927208834
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - http://www.swiftview.com/product/public/svinstall_a_green.exe
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c13/v19.108/qboax10.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://at-twc.twcable.com/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

--
End of file - 14092 bytes
 
Donna,

CF removed a few nasties , the rest of your logs look ok


Please run this free online virus scanner from ESET
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
Interesting .... logs look okay, but ESET is currently showing one virus! It is not done running yet, but I will post the log when it is.
 
Donna,

c:\windows\system32\bszip.dll <-- This was removed by Combofix, its a worm which means it can spread to other computers, did it come from your sons computer...I don't know but this is why its so important right now to keep your sons computer offline.

1. How many computers besides the one we are working on and your sons hook up to the router to access the internet ?

2. Are these computers networked, what I mean by this is can you access one of the other computers from your own. Just because you have a few computers hooked up to your router does not mean there networked, they just all access the internet through your router, can these computers see each other, for example can you go on your sons computer and access files and such on your computer ?




Lets see what ESET finds and go from there
 
eset log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16981 (vista_gdr.091215-2244)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e8221e3fff228c43a3bd35ae0fcdf700
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-03-10 04:54:27
# local_time=2010-03-09 11:54:27 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 59389812 59389812 0 0
# compatibility_mode=768 16777175 100 0 194886 194886 0 0
# compatibility_mode=4864 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=6401 16777213 66 100 0 7255208 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=146484
# found=1
# cleaned=1
# scan_time=6042
C:\Documents and Settings\Donna McKnight\Desktop\Flash_Disinfector.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
 
Status
Not open for further replies.
Back
Top