HJT Did Not Produce a Log

Inherit.exe

There is no need to apologize. I am greatful that you are there and willing to help me out.

I downloaded inherit.exe from another computer to a flash drive and when I tried to put it on the destop of the infected laptop, it would not allow me to do that.

Following that, I broke my isolation and enabled my network connection. When I tried to run Internet Explorer in order to download inherit.exe, I got "Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access this item." I then disabled my network connection and re-booted in the Safe Mode.

There I was able to place inherit.exe on the destop and put a fresh copy of ComboFix in it. I also transferred HijackThis this to inherit.exe and deleted it form the desktop.

I had left the laptop on all night to see if ComboFix would deliver something this morning which it did not. I had then tried to run HijackThis and was told that I could not. When I tried to delete it I had not been allowed to do that either.

After completing your instruction in the Safe Mode, I rebooted. Once again, I got a command screen with the "Grep is not recognized..." warning. After a while, on that same screen I got "Please wait ComboFix is preparing to run" and then the command screen disappeared.

I do have Inherit.exe on my desktop and look forward to the next instruction.
 
Hi,

Grep is part of CF, did you delete CF and download a fresh copy, did you remember to rename it.

You can try this

Combo-fix.exe <--Right click on it and rename it to Melsdad.exe and drop it into Inherit.

If no luck, hang on I am going to have someone else take a peek at this
 
Post these results please

Open notepad and copy/paste the text inside the quotebox below into it:

@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0
Click to expand...


Save the above batch file as peek.bat to your desktop, doubleclick to run it and post back with the contents
 
I was about to respond when I found an additional instruction.

I had to go into the Safe Mode in order to drop Melsdad.exe into Inherit. When I rebooted, I did not see the command window with the comment regarding Grap.

The log from Peek follows:

Volume in drive C has no label.
Volume Serial Number is 1C45-0905

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:11 PM 61,952 eventlog.dll
3 File(s) 650,240 bytes

Total Files Listed:
9 File(s) 1,937,920 bytes
0 Dir(s) 3,865,030,656 bytes free

Thanks for you help.
 
Hi,

This what we need to do, first drag combofix to the trash. We are going to redownload it but not rename it this time , and no need to drop it into Inherit.

Open notepad and copy/paste the text in the quotebox below into it:


@SC CONFIG EVENTLOG START= DISABLED
Click to expand...


Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
bat_icon.gif


Double click on fix.bat & allow it to run.

Reboot

Run ComboFix.exe. If you see the "Grep is not recognized to be an internal or external command, operable program or batch file." Be patient - ComboFix wil get past that, and run.




Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
ComboFix and HiJackThis Logs

Hi Ken545:

My work on the PC today has been quite piecemeal. I ran fix.bat and then I rebooted the computer to find ComboFix and remove it. I left the PC for a while and when I returned to continue my work, it appeared as if ComboFix was hard at work so I let it continue.

Sometime later, it was telling me that I did not have the recovery console installed so I broke isolation, made a network connection, and clicked Yes to download and install.

Sometime later, I was told that the installation had been successful. At that point I had to leave the house for an extended period of time and I left the PC running. When I got back, Notepad was open and the ComboFix log was displayed.

I then downloaded HijackThis from Trend Micro and ran that as well. The two resulting logs are attached. I was thrilled to see those processes work!

I will be available for the next several hours.
 
Great, but I do not see any attachments, thats ok I rather you just copy and pasted both logs in please
 
Log Content

Sorry about that!

The ComboFix Log:

ComboFix 09-10-16.09 - Melanie Lewis 10/19/2009 11:14.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.571 [GMT -4:00]
Running from: c:\documents and settings\Melanie Lewis\Desktop\Combo-Fix.exe
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\MELANI~1\LOCALS~1\Temp\rd56.tmp\____mmfp.ocx
c:\documents and settings\Melanie Lewis\Local Settings\Temp\rd56.tmp\____mmfp.ocx
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Install.txt
c:\windows\Installer\12b7b3d.msp
c:\windows\Installer\12b7b3e.msp
c:\windows\Installer\12b7b3f.msp
c:\windows\Installer\12b7b40.msp
c:\windows\Installer\12b7b41.msp
c:\windows\Installer\12b7b42.msp
c:\windows\Installer\12b7b43.msp
c:\windows\Installer\12b7b44.msp
c:\windows\Installer\12b7b45.msp
c:\windows\Installer\144654a.msp
c:\windows\Installer\144654b.msp
c:\windows\Installer\144654c.msp
c:\windows\Installer\144654d.msp
c:\windows\Installer\144654e.msp
c:\windows\Installer\144654f.msp
c:\windows\Installer\1446550.msp
c:\windows\Installer\1446551.msp
c:\windows\Installer\1446552.msp
c:\windows\Installer\147f51.msp
c:\windows\Installer\147f52.msp
c:\windows\Installer\147f53.msp
c:\windows\Installer\147f54.msp
c:\windows\Installer\147f55.msp
c:\windows\Installer\147f56.msp
c:\windows\Installer\147f57.msp
c:\windows\Installer\147f58.msp
c:\windows\Installer\147f59.msp
c:\windows\Installer\1570972.msp
c:\windows\Installer\1570973.msp
c:\windows\Installer\1570974.msp
c:\windows\Installer\1570975.msp
c:\windows\Installer\1570976.msp
c:\windows\Installer\1570977.msp
c:\windows\Installer\1570978.msp
c:\windows\Installer\1570979.msp
c:\windows\Installer\157097a.msp
c:\windows\Installer\169d7e.msp
c:\windows\Installer\169d7f.msp
c:\windows\Installer\169d80.msp
c:\windows\Installer\169d81.msp
c:\windows\Installer\169d82.msp
c:\windows\Installer\169d83.msp
c:\windows\Installer\169d84.msp
c:\windows\Installer\169d85.msp
c:\windows\Installer\169d86.msp
c:\windows\Installer\175295.msp
c:\windows\Installer\175296.msp
c:\windows\Installer\175297.msp
c:\windows\Installer\175298.msp
c:\windows\Installer\175299.msp
c:\windows\Installer\17529a.msp
c:\windows\Installer\17529b.msp
c:\windows\Installer\17529c.msp
c:\windows\Installer\17529d.msp
c:\windows\Installer\1b017a.msp
c:\windows\Installer\1d01c9.msp
c:\windows\Installer\1d01ca.msp
c:\windows\Installer\1d01cb.msp
c:\windows\Installer\1d01cc.msp
c:\windows\Installer\1d01cd.msp
c:\windows\Installer\1d01ce.msp
c:\windows\Installer\1d01cf.msp
c:\windows\Installer\1d01d0.msp
c:\windows\Installer\1d01d1.msp
c:\windows\Installer\20710e.msp
c:\windows\Installer\20710f.msp
c:\windows\Installer\207110.msp
c:\windows\Installer\207111.msp
c:\windows\Installer\207112.msp
c:\windows\Installer\207113.msp
c:\windows\Installer\207114.msp
c:\windows\Installer\207115.msp
c:\windows\Installer\207116.msp
c:\windows\Installer\2482003.msp
c:\windows\Installer\2482004.msp
c:\windows\Installer\2482005.msp
c:\windows\Installer\2482006.msp
c:\windows\Installer\2482007.msp
c:\windows\Installer\2482008.msp
c:\windows\Installer\2482009.msp
c:\windows\Installer\248200a.msp
c:\windows\Installer\248200b.msp
c:\windows\Installer\2483f20.msp
c:\windows\Installer\2483f21.msp
c:\windows\Installer\2483f22.msp
c:\windows\Installer\2483f23.msp
c:\windows\Installer\2483f24.msp
c:\windows\Installer\2483f25.msp
c:\windows\Installer\2483f26.msp
c:\windows\Installer\2483f27.msp
c:\windows\Installer\2483f28.msp
c:\windows\Installer\26f2c.msp
c:\windows\Installer\26f2d.msp
c:\windows\Installer\26f2e.msp
c:\windows\Installer\26f2f.msp
c:\windows\Installer\26f30.msp
c:\windows\Installer\26f31.msp
c:\windows\Installer\26f32.msp
c:\windows\Installer\26f33.msp
c:\windows\Installer\26f34.msp
c:\windows\Installer\27a96.msp
c:\windows\Installer\27a97.msp
c:\windows\Installer\27a98.msp
c:\windows\Installer\27a99.msp
c:\windows\Installer\27a9a.msp
c:\windows\Installer\27a9b.msp
c:\windows\Installer\27a9c.msp
c:\windows\Installer\27a9d.msp
c:\windows\Installer\27a9e.msp
c:\windows\Installer\284da09.msp
c:\windows\Installer\284da0a.msp
c:\windows\Installer\284da0b.msp
c:\windows\Installer\284da0c.msp
c:\windows\Installer\284da0d.msp
c:\windows\Installer\284da0e.msp
c:\windows\Installer\284da0f.msp
c:\windows\Installer\284da10.msp
c:\windows\Installer\284da11.msp
c:\windows\Installer\287c5.msp
c:\windows\Installer\287c6.msp
c:\windows\Installer\287c7.msp
c:\windows\Installer\287c8.msp
c:\windows\Installer\287c9.msp
c:\windows\Installer\287ca.msp
c:\windows\Installer\287cb.msp
c:\windows\Installer\287cc.msp
c:\windows\Installer\287cd.msp
c:\windows\Installer\28ad45e.msp
c:\windows\Installer\28ad45f.msp
c:\windows\Installer\28ad460.msp
c:\windows\Installer\28ad461.msp
c:\windows\Installer\28ad462.msp
c:\windows\Installer\28ad463.msp
c:\windows\Installer\28ad464.msp
c:\windows\Installer\28ad465.msp
c:\windows\Installer\28ad466.msp
c:\windows\Installer\28eaa.msp
c:\windows\Installer\28eab.msp
c:\windows\Installer\28eac.msp
c:\windows\Installer\28ead.msp
c:\windows\Installer\28eae.msp
c:\windows\Installer\28eaf.msp
c:\windows\Installer\28eb0.msp
c:\windows\Installer\28eb1.msp
c:\windows\Installer\28eb2.msp
c:\windows\Installer\2ad2f.msp
c:\windows\Installer\2ad30.msp
c:\windows\Installer\2ad31.msp
c:\windows\Installer\2ad32.msp
c:\windows\Installer\2ad33.msp
c:\windows\Installer\2ad34.msp
c:\windows\Installer\2ad35.msp
c:\windows\Installer\2ad36.msp
c:\windows\Installer\2ad37.msp
c:\windows\Installer\2b5ba.msp
c:\windows\Installer\2b5bb.msp
c:\windows\Installer\2b5bc.msp
c:\windows\Installer\2b5bd.msp
c:\windows\Installer\2b5be.msp
c:\windows\Installer\2b5bf.msp
c:\windows\Installer\2b5c0.msp
c:\windows\Installer\2b5c1.msp
c:\windows\Installer\2b5c2.msp
c:\windows\Installer\2bb96.msp
c:\windows\Installer\2bb97.msp
c:\windows\Installer\2bb98.msp
c:\windows\Installer\2bb99.msp
c:\windows\Installer\2bb9a.msp
c:\windows\Installer\2bb9b.msp
c:\windows\Installer\2bb9c.msp
c:\windows\Installer\2bb9d.msp
c:\windows\Installer\2bb9e.msp
c:\windows\Installer\2c674.msp
c:\windows\Installer\2c675.msp
c:\windows\Installer\2c676.msp
c:\windows\Installer\2c677.msp
c:\windows\Installer\2c678.msp
c:\windows\Installer\2c679.msp
c:\windows\Installer\2c67a.msp
c:\windows\Installer\2c67b.msp
c:\windows\Installer\2c67c.msp
c:\windows\Installer\2cf1e.msp
c:\windows\Installer\2cf1f.msp
c:\windows\Installer\2cf20.msp
c:\windows\Installer\2cf21.msp
c:\windows\Installer\2cf22.msp
c:\windows\Installer\2cf23.msp
c:\windows\Installer\2cf24.msp
c:\windows\Installer\2cf25.msp
c:\windows\Installer\2cf26.msp
c:\windows\Installer\2d151.msp
c:\windows\Installer\2d152.msp
c:\windows\Installer\2d153.msp
c:\windows\Installer\2d154.msp
c:\windows\Installer\2d155.msp
c:\windows\Installer\2d156.msp
c:\windows\Installer\2d157.msp
c:\windows\Installer\2d158.msp
c:\windows\Installer\2d159.msp
c:\windows\Installer\2d45e.msp
c:\windows\Installer\2d45f.msp
c:\windows\Installer\2d460.msp
c:\windows\Installer\2d461.msp
c:\windows\Installer\2d462.msp
c:\windows\Installer\2d463.msp
c:\windows\Installer\2d464.msp
c:\windows\Installer\2d465.msp
c:\windows\Installer\2d466.msp
c:\windows\Installer\2d4bc.msp
c:\windows\Installer\2d4bd.msp
c:\windows\Installer\2d4be.msp
c:\windows\Installer\2d4bf.msp
c:\windows\Installer\2d4c0.msp
c:\windows\Installer\2d4c1.msp
c:\windows\Installer\2d4c2.msp
c:\windows\Installer\2d4c3.msp
c:\windows\Installer\2d4c4.msp
c:\windows\Installer\2d73c.msp
c:\windows\Installer\2d73d.msp
c:\windows\Installer\2d73e.msp
c:\windows\Installer\2d73f.msp
c:\windows\Installer\2d740.msp
c:\windows\Installer\2d741.msp
c:\windows\Installer\2d742.msp
c:\windows\Installer\2d743.msp
c:\windows\Installer\2d744.msp
c:\windows\Installer\2db05.msp
c:\windows\Installer\2db06.msp
c:\windows\Installer\2db07.msp
c:\windows\Installer\2db08.msp
c:\windows\Installer\2db09.msp
c:\windows\Installer\2db0a.msp
c:\windows\Installer\2db0b.msp
c:\windows\Installer\2db0c.msp
c:\windows\Installer\2db0d.msp
c:\windows\Installer\2e0f1.msp
c:\windows\Installer\2e0f2.msp
c:\windows\Installer\2e0f3.msp
c:\windows\Installer\2e0f4.msp
c:\windows\Installer\2e0f5.msp
c:\windows\Installer\2e0f6.msp
c:\windows\Installer\2e0f7.msp
c:\windows\Installer\2e0f8.msp
c:\windows\Installer\2e0f9.msp
c:\windows\Installer\2e13f.msp
c:\windows\Installer\2e140.msp
c:\windows\Installer\2e141.msp
c:\windows\Installer\2e142.msp
c:\windows\Installer\2e143.msp
c:\windows\Installer\2e144.msp
c:\windows\Installer\2e145.msp
c:\windows\Installer\2e146.msp
c:\windows\Installer\2e147.msp
c:\windows\Installer\2e2d5.msp
c:\windows\Installer\2e2d6.msp
c:\windows\Installer\2e2d7.msp
c:\windows\Installer\2e2d8.msp
c:\windows\Installer\2e2d9.msp
c:\windows\Installer\2e2da.msp
c:\windows\Installer\2e2db.msp
c:\windows\Installer\2e2dc.msp
c:\windows\Installer\2e2dd.msp
c:\windows\Installer\2e9bb.msp
c:\windows\Installer\2e9bc.msp
c:\windows\Installer\2e9bd.msp
c:\windows\Installer\2e9be.msp
c:\windows\Installer\2e9bf.msp
c:\windows\Installer\2e9c0.msp
c:\windows\Installer\2e9c1.msp
c:\windows\Installer\2e9c2.msp
c:\windows\Installer\2e9c3.msp
c:\windows\Installer\2ea38.msp
c:\windows\Installer\2ea39.msp
c:\windows\Installer\2ea3a.msp
c:\windows\Installer\2ea3b.msp
c:\windows\Installer\2ea3c.msp
c:\windows\Installer\2ea3d.msp
c:\windows\Installer\2ea3e.msp
c:\windows\Installer\2ea3f.msp
c:\windows\Installer\2ea40.msp
c:\windows\Installer\2f13f1e.msp
c:\windows\Installer\2f13f1f.msp
c:\windows\Installer\2f13f20.msp
c:\windows\Installer\2f13f21.msp
c:\windows\Installer\2f13f22.msp
c:\windows\Installer\2f13f23.msp
c:\windows\Installer\2f13f24.msp
c:\windows\Installer\2f13f25.msp
c:\windows\Installer\2f13f26.msp
c:\windows\Installer\2f68c.msp
c:\windows\Installer\2f68d.msp
c:\windows\Installer\2f68e.msp
c:\windows\Installer\2f68f.msp
c:\windows\Installer\2f690.msp
c:\windows\Installer\2f691.msp
c:\windows\Installer\2f692.msp
c:\windows\Installer\2f693.msp
c:\windows\Installer\2f694.msp
c:\windows\Installer\2fcf5.msp
c:\windows\Installer\2fcf6.msp
c:\windows\Installer\2fcf7.msp
c:\windows\Installer\2fcf8.msp
c:\windows\Installer\2fcf9.msp
c:\windows\Installer\2fcfa.msp
c:\windows\Installer\2fcfb.msp
c:\windows\Installer\2fcfc.msp
c:\windows\Installer\2fcfd.msp
c:\windows\Installer\305fd.msp
c:\windows\Installer\305fe.msp
c:\windows\Installer\305ff.msp
c:\windows\Installer\30600.msp
c:\windows\Installer\30601.msp
c:\windows\Installer\30602.msp
c:\windows\Installer\30603.msp
c:\windows\Installer\30604.msp
c:\windows\Installer\30605.msp
c:\windows\Installer\31743.msp
c:\windows\Installer\31744.msp
c:\windows\Installer\31745.msp
c:\windows\Installer\31746.msp
c:\windows\Installer\31747.msp
c:\windows\Installer\31748.msp
c:\windows\Installer\31749.msp
c:\windows\Installer\3174a.msp
c:\windows\Installer\3174b.msp
c:\windows\Installer\32aea.msp
c:\windows\Installer\32aeb.msp
c:\windows\Installer\32aec.msp
c:\windows\Installer\32aed.msp
c:\windows\Installer\32aee.msp
c:\windows\Installer\32aef.msp
c:\windows\Installer\32af0.msp
c:\windows\Installer\32af1.msp
c:\windows\Installer\32af2.msp
c:\windows\Installer\33092ca.msp
c:\windows\Installer\33092cb.msp
c:\windows\Installer\33092cc.msp
c:\windows\Installer\33092cd.msp
c:\windows\Installer\33092ce.msp
c:\windows\Installer\33092cf.msp
c:\windows\Installer\33092d0.msp
c:\windows\Installer\33092d1.msp
c:\windows\Installer\33092d2.msp
c:\windows\Installer\33616.msp
c:\windows\Installer\33617.msp
c:\windows\Installer\33618.msp
c:\windows\Installer\33619.msp
c:\windows\Installer\3361a.msp
c:\windows\Installer\3361b.msp
c:\windows\Installer\3361c.msp
c:\windows\Installer\3361d.msp
c:\windows\Installer\3361e.msp
c:\windows\Installer\33be2.msp
c:\windows\Installer\33be3.msp
c:\windows\Installer\33be4.msp
c:\windows\Installer\33be5.msp
c:\windows\Installer\33be6.msp
c:\windows\Installer\33be7.msp
c:\windows\Installer\33be8.msp
c:\windows\Installer\33be9.msp
c:\windows\Installer\33bea.msp
c:\windows\Installer\342b5ac.msp
c:\windows\Installer\342b5ad.msp
c:\windows\Installer\342b5ae.msp
c:\windows\Installer\342b5af.msp
c:\windows\Installer\342b5b0.msp
c:\windows\Installer\342b5b1.msp
c:\windows\Installer\342b5b2.msp
c:\windows\Installer\342b5b3.msp
c:\windows\Installer\342b5b4.msp
c:\windows\Installer\34d57.msp
c:\windows\Installer\34d58.msp
c:\windows\Installer\34d59.msp
c:\windows\Installer\34d5a.msp
c:\windows\Installer\34d5b.msp
c:\windows\Installer\34d5c.msp
c:\windows\Installer\34d5d.msp
c:\windows\Installer\34d5e.msp
c:\windows\Installer\34d5f.msp
c:\windows\Installer\352f4.msp
c:\windows\Installer\352f5.msp
c:\windows\Installer\352f6.msp
c:\windows\Installer\352f7.msp
c:\windows\Installer\352f8.msp
c:\windows\Installer\352f9.msp
c:\windows\Installer\352fa.msp
c:\windows\Installer\352fb.msp
c:\windows\Installer\352fc.msp
c:\windows\Installer\36382a5.msp
c:\windows\Installer\36382a6.msp
c:\windows\Installer\36382a7.msp
c:\windows\Installer\36382a8.msp
c:\windows\Installer\36382a9.msp
c:\windows\Installer\36382aa.msp
c:\windows\Installer\36382ab.msp
c:\windows\Installer\36382ac.msp
c:\windows\Installer\36382ad.msp
c:\windows\Installer\36aa3.msp
c:\windows\Installer\36aa4.msp
c:\windows\Installer\36aa5.msp
c:\windows\Installer\36aa6.msp
c:\windows\Installer\36aa7.msp
c:\windows\Installer\36aa8.msp
c:\windows\Installer\36aa9.msp
c:\windows\Installer\36aaa.msp
c:\windows\Installer\36aab.msp
c:\windows\Installer\37b6c.msp
c:\windows\Installer\37b6d.msp
c:\windows\Installer\37b6e.msp
c:\windows\Installer\37b6f.msp
c:\windows\Installer\37b70.msp
c:\windows\Installer\37b71.msp
c:\windows\Installer\37b72.msp
c:\windows\Installer\37b73.msp
c:\windows\Installer\37b74.msp
c:\windows\Installer\3883d.msp
c:\windows\Installer\3883e.msp
c:\windows\Installer\3883f.msp
c:\windows\Installer\38840.msp
c:\windows\Installer\38841.msp
c:\windows\Installer\38842.msp
c:\windows\Installer\38843.msp
c:\windows\Installer\38844.msp
c:\windows\Installer\38845.msp
c:\windows\Installer\38a6f.msp
c:\windows\Installer\38a70.msp
c:\windows\Installer\38a71.msp
c:\windows\Installer\38a72.msp
c:\windows\Installer\38a73.msp
c:\windows\Installer\38a74.msp
c:\windows\Installer\38a75.msp
c:\windows\Installer\38a76.msp
c:\windows\Installer\38a77.msp
c:\windows\Installer\38a78.msp
c:\windows\Installer\38a79.msp
c:\windows\Installer\38a7a.msp
c:\windows\Installer\38a7b.msp
c:\windows\Installer\38a7c.msp
c:\windows\Installer\38a7d.msp
c:\windows\Installer\38a7e.msp
c:\windows\Installer\38a7f.msp
c:\windows\Installer\38a80.msp
c:\windows\Installer\39695.msp
c:\windows\Installer\39696.msp
c:\windows\Installer\39697.msp
c:\windows\Installer\39698.msp
c:\windows\Installer\39699.msp
c:\windows\Installer\3969a.msp
c:\windows\Installer\3969b.msp
c:\windows\Installer\3969c.msp
c:\windows\Installer\3969d.msp
c:\windows\Installer\396bedb.msp
c:\windows\Installer\396bedc.msp
c:\windows\Installer\396bedd.msp
c:\windows\Installer\396bede.msp
c:\windows\Installer\396bedf.msp
c:\windows\Installer\396bee0.msp
c:\windows\Installer\396bee1.msp
c:\windows\Installer\396bee2.msp
c:\windows\Installer\396bee3.msp
c:\windows\Installer\39c23.msp
c:\windows\Installer\39c24.msp
c:\windows\Installer\39c25.msp
c:\windows\Installer\39c26.msp
c:\windows\Installer\39c27.msp
c:\windows\Installer\39c28.msp
c:\windows\Installer\39c29.msp
c:\windows\Installer\39c2a.msp
c:\windows\Installer\39c2b.msp
c:\windows\Installer\3a5c7.msp
c:\windows\Installer\3a5c8.msp
c:\windows\Installer\3a5c9.msp
c:\windows\Installer\3a5ca.msp
c:\windows\Installer\3a5cb.msp
c:\windows\Installer\3a5cc.msp
c:\windows\Installer\3a5cd.msp
c:\windows\Installer\3a5ce.msp
c:\windows\Installer\3a5cf.msp
c:\windows\Installer\3a877.msp
c:\windows\Installer\3a878.msp
c:\windows\Installer\3a879.msp
c:\windows\Installer\3a87a.msp
c:\windows\Installer\3a87b.msp
c:\windows\Installer\3a87c.msp
c:\windows\Installer\3a87d.msp
c:\windows\Installer\3a87e.msp
c:\windows\Installer\3a87f.msp
c:\windows\Installer\3c287.msp
c:\windows\Installer\3c288.msp
c:\windows\Installer\3c289.msp
c:\windows\Installer\3c28a.msp
c:\windows\Installer\3c28b.msp
c:\windows\Installer\3c28c.msp
c:\windows\Installer\3c28d.msp
c:\windows\Installer\3c28e.msp
c:\windows\Installer\3c28f.msp
c:\windows\Installer\3c4d9.msp
c:\windows\Installer\3c4da.msp
c:\windows\Installer\3c4db.msp
c:\windows\Installer\3c4dc.msp
c:\windows\Installer\3c4dd.msp
c:\windows\Installer\3c4de.msp
c:\windows\Installer\3c4df.msp
c:\windows\Installer\3c4e0.msp
c:\windows\Installer\3c4e1.msp
c:\windows\Installer\3e1a8.msp
c:\windows\Installer\3e1a9.msp
c:\windows\Installer\3e1aa.msp
c:\windows\Installer\3e1ab.msp
c:\windows\Installer\3e1ac.msp
c:\windows\Installer\3e1ad.msp
c:\windows\Installer\3e1ae.msp
c:\windows\Installer\3e1af.msp
c:\windows\Installer\3e1b0.msp
c:\windows\Installer\3e51fcc.msp
c:\windows\Installer\3e51fcd.msp
c:\windows\Installer\3e51fce.msp
c:\windows\Installer\3e51fcf.msp
c:\windows\Installer\3e51fd0.msp
c:\windows\Installer\3e51fd1.msp
c:\windows\Installer\3e51fd2.msp
c:\windows\Installer\3e51fd3.msp
c:\windows\Installer\3e51fd4.msp
c:\windows\Installer\3e801.msp
c:\windows\Installer\3e802.msp
c:\windows\Installer\3e803.msp
c:\windows\Installer\3e804.msp
c:\windows\Installer\3e805.msp
c:\windows\Installer\3e806.msp
c:\windows\Installer\3e807.msp
c:\windows\Installer\3e808.msp
c:\windows\Installer\3e809.msp
c:\windows\Installer\3f5ea.msi
c:\windows\Installer\3f5eb.msp
c:\windows\Installer\3f5ec.msp
c:\windows\Installer\3f5ed.msp
c:\windows\Installer\3f5ee.msp
c:\windows\Installer\3f5ef.msp
c:\windows\Installer\3f5f0.msp
c:\windows\Installer\3f5f1.msp
c:\windows\Installer\3f5f2.msp
c:\windows\Installer\3f5f3.msp
c:\windows\Installer\40b57db.msp
c:\windows\Installer\40b57dc.msp
c:\windows\Installer\40b57dd.msp
c:\windows\Installer\40b57de.msp
c:\windows\Installer\40b57df.msp
c:\windows\Installer\40b57e0.msp
c:\windows\Installer\40b57e1.msp
c:\windows\Installer\40b57e2.msp
c:\windows\Installer\40b57e3.msp
c:\windows\Installer\41d2a.msp
c:\windows\Installer\41d2b.msp
c:\windows\Installer\41d2c.msp
c:\windows\Installer\41d2d.msp
c:\windows\Installer\41d2e.msp
c:\windows\Installer\41d2f.msp
c:\windows\Installer\41d30.msp
c:\windows\Installer\41d31.msp
c:\windows\Installer\41d32.msp
c:\windows\Installer\423f0.msp
c:\windows\Installer\423f1.msp
c:\windows\Installer\423f2.msp
c:\windows\Installer\423f3.msp
c:\windows\Installer\423f4.msp
c:\windows\Installer\423f5.msp
c:\windows\Installer\423f6.msp
c:\windows\Installer\423f7.msp
c:\windows\Installer\423f8.msp
c:\windows\Installer\4318d.msp
c:\windows\Installer\4318e.msp
c:\windows\Installer\4318f.msp
c:\windows\Installer\43190.msp
c:\windows\Installer\43191.msp
c:\windows\Installer\43192.msp
c:\windows\Installer\43193.msp
c:\windows\Installer\43194.msp
c:\windows\Installer\43195.msp
c:\windows\Installer\4343b52.msp
c:\windows\Installer\4343b53.msp
c:\windows\Installer\4343b54.msp
c:\windows\Installer\4343b55.msp
c:\windows\Installer\4343b56.msp
c:\windows\Installer\4343b57.msp
c:\windows\Installer\4343b58.msp
c:\windows\Installer\4343b59.msp
c:\windows\Installer\4343b5a.msp
c:\windows\Installer\43a95.msp
c:\windows\Installer\43a96.msp
c:\windows\Installer\43a97.msp
c:\windows\Installer\43a98.msp
c:\windows\Installer\43a99.msp
c:\windows\Installer\43a9a.msp
c:\windows\Installer\43a9b.msp
c:\windows\Installer\43a9c.msp
c:\windows\Installer\43a9d.msp
c:\windows\Installer\4435f.msp
c:\windows\Installer\44360.msp
c:\windows\Installer\44361.msp
c:\windows\Installer\44362.msp
c:\windows\Installer\44363.msp
c:\windows\Installer\44364.msp
c:\windows\Installer\44365.msp
c:\windows\Installer\44366.msp
c:\windows\Installer\44367.msp
c:\windows\Installer\45976c1.msp
c:\windows\Installer\45976c2.msp
c:\windows\Installer\45976c3.msp
c:\windows\Installer\45976c4.msp
c:\windows\Installer\45976c5.msp
c:\windows\Installer\45976c6.msp
c:\windows\Installer\45976c7.msp
c:\windows\Installer\45976c8.msp
c:\windows\Installer\45976c9.msp
c:\windows\Installer\45d87a6.msp
c:\windows\Installer\45d87a7.msp
c:\windows\Installer\45d87a8.msp
c:\windows\Installer\45d87a9.msp
c:\windows\Installer\45d87aa.msp
c:\windows\Installer\45d87ab.msp
c:\windows\Installer\45d87ac.msp
c:\windows\Installer\45d87ad.msp
c:\windows\Installer\45d87ae.msp
c:\windows\Installer\46eaf21.msp
c:\windows\Installer\46eaf22.msp
c:\windows\Installer\46eaf23.msp
c:\windows\Installer\46eaf24.msp
c:\windows\Installer\46eaf25.msp
c:\windows\Installer\46eaf26.msp
c:\windows\Installer\46eaf27.msp
c:\windows\Installer\46eaf28.msp
c:\windows\Installer\46eaf29.msp
c:\windows\Installer\46f8ec3.msp
c:\windows\Installer\46f8ec4.msp
c:\windows\Installer\46f8ec5.msp
c:\windows\Installer\46f8ec6.msp
c:\windows\Installer\46f8ec7.msp
c:\windows\Installer\46f8ec8.msp
c:\windows\Installer\46f8ec9.msp
c:\windows\Installer\46f8eca.msp
c:\windows\Installer\46f8ecb.msp
c:\windows\Installer\47c16a6.msp
c:\windows\Installer\47c16a7.msp
c:\windows\Installer\47c16a8.msp
c:\windows\Installer\47c16a9.msp
c:\windows\Installer\47c16aa.msp
c:\windows\Installer\47c16ab.msp
c:\windows\Installer\47c16ac.msp
c:\windows\Installer\47c16ad.msp
c:\windows\Installer\47c16ae.msp
c:\windows\Installer\47c51.msp
c:\windows\Installer\47c52.msp
c:\windows\Installer\47c53.msp
c:\windows\Installer\47c54.msp
c:\windows\Installer\47c55.msp
c:\windows\Installer\47c56.msp
c:\windows\Installer\47c57.msp
c:\windows\Installer\47c58.msp
c:\windows\Installer\47c59.msp
c:\windows\Installer\49596.msp
c:\windows\Installer\49597.msp
c:\windows\Installer\49598.msp
c:\windows\Installer\49599.msp
c:\windows\Installer\4959a.msp
c:\windows\Installer\4959b.msp
c:\windows\Installer\4959c.msp
c:\windows\Installer\4959d.msp
c:\windows\Installer\4959e.msp
c:\windows\Installer\4a56e05.msp
c:\windows\Installer\4a56e06.msp
c:\windows\Installer\4a56e07.msp
c:\windows\Installer\4a56e08.msp
c:\windows\Installer\4a56e09.msp
c:\windows\Installer\4a56e0a.msp
c:\windows\Installer\4a56e0b.msp
c:\windows\Installer\4a56e0c.msp
c:\windows\Installer\4a56e0d.msp
c:\windows\Installer\4ec6f15.msp
c:\windows\Installer\4ec6f16.msp
c:\windows\Installer\4ec6f17.msp
c:\windows\Installer\4ec6f18.msp
c:\windows\Installer\4ec6f19.msp
c:\windows\Installer\4ec6f1a.msp
c:\windows\Installer\4ec6f1b.msp
c:\windows\Installer\4ec6f1c.msp
c:\windows\Installer\4ec6f1d.msp
c:\windows\Installer\4f2e8bd.msp
c:\windows\Installer\4f2e8be.msp
c:\windows\Installer\4f2e8bf.msp
c:\windows\Installer\4f2e8c0.msp
c:\windows\Installer\4f2e8c1.msp
c:\windows\Installer\4f2e8c2.msp
c:\windows\Installer\4f2e8c3.msp
c:\windows\Installer\4f2e8c4.msp
c:\windows\Installer\4f2e8c5.msp
c:\windows\Installer\5085c31.msp
c:\windows\Installer\5085c32.msp
c:\windows\Installer\5085c33.msp
c:\windows\Installer\5085c34.msp
c:\windows\Installer\5085c35.msp
c:\windows\Installer\5085c36.msp
c:\windows\Installer\5085c37.msp
c:\windows\Installer\5085c38.msp
c:\windows\Installer\5085c39.msp
c:\windows\Installer\50b80f1.msp
c:\windows\Installer\50b80f2.msp
c:\windows\Installer\50b80f3.msp
c:\windows\Installer\50b80f4.msp
c:\windows\Installer\50b80f5.msp
c:\windows\Installer\50b80f6.msp
c:\windows\Installer\50b80f7.msp
c:\windows\Installer\50b80f8.msp
c:\windows\Installer\50b80f9.msp
c:\windows\Installer\51a7e68.msp
c:\windows\Installer\51a7e69.msp
c:\windows\Installer\51a7e6a.msp
c:\windows\Installer\51a7e6b.msp
c:\windows\Installer\51a7e6c.msp
c:\windows\Installer\51a7e6d.msp
c:\windows\Installer\51a7e6e.msp
c:\windows\Installer\51a7e6f.msp
c:\windows\Installer\51a7e70.msp
c:\windows\Installer\52505.msp
c:\windows\Installer\52506.msp
c:\windows\Installer\52507.msp
c:\windows\Installer\52508.msp
c:\windows\Installer\52509.msp
c:\windows\Installer\5250a.msp
c:\windows\Installer\5250b.msp
c:\windows\Installer\5250c.msp
c:\windows\Installer\5250d.msp
c:\windows\Installer\5853fa1.msp
c:\windows\Installer\5853fa2.msp
c:\windows\Installer\5853fa3.msp
c:\windows\Installer\5853fa4.msp
c:\windows\Installer\5853fa5.msp
c:\windows\Installer\5853fa6.msp
c:\windows\Installer\5853fa7.msp
c:\windows\Installer\5853fa8.msp
c:\windows\Installer\5853fa9.msp
c:\windows\Installer\5b0a196.msp
c:\windows\Installer\5b0a197.msp
c:\windows\Installer\5b0a198.msp
c:\windows\Installer\5b0a199.msp
c:\windows\Installer\5b0a19a.msp
c:\windows\Installer\5b0a19b.msp
c:\windows\Installer\5b0a19c.msp
c:\windows\Installer\5b0a19d.msp
c:\windows\Installer\5b0a19e.msp
c:\windows\Installer\5d16d37.msp
c:\windows\Installer\5d16d38.msp
c:\windows\Installer\5d16d39.msp
c:\windows\Installer\5d16d3a.msp
c:\windows\Installer\5d16d3b.msp
c:\windows\Installer\5d16d3c.msp
c:\windows\Installer\5d16d3d.msp
c:\windows\Installer\5d16d3e.msp
c:\windows\Installer\5d16d3f.msp
c:\windows\Installer\5d43001.msp
c:\windows\Installer\5d43002.msp
c:\windows\Installer\5d43003.msp
c:\windows\Installer\5d43004.msp
c:\windows\Installer\5d43005.msp
c:\windows\Installer\5d43006.msp
c:\windows\Installer\5d43007.msp
c:\windows\Installer\5d43008.msp
c:\windows\Installer\5d43009.msp
c:\windows\Installer\60274.msp
c:\windows\Installer\60275.msp
c:\windows\Installer\60276.msp
c:\windows\Installer\60277.msp
c:\windows\Installer\60278.msp
c:\windows\Installer\60279.msp
c:\windows\Installer\6027a.msp
c:\windows\Installer\6027b.msp
c:\windows\Installer\6027c.msp
c:\windows\Installer\605ef.msp
c:\windows\Installer\605f0.msp
c:\windows\Installer\605f1.msp
c:\windows\Installer\605f2.msp
c:\windows\Installer\605f3.msp
c:\windows\Installer\605f4.msp
c:\windows\Installer\605f5.msp
c:\windows\Installer\605f6.msp
c:\windows\Installer\605f7.msp
c:\windows\Installer\6a079.msp
c:\windows\Installer\6a07a.msp
c:\windows\Installer\6a07b.msp
c:\windows\Installer\6a07c.msp
c:\windows\Installer\6a07d.msp
c:\windows\Installer\6a07e.msp
c:\windows\Installer\6a07f.msp
c:\windows\Installer\6a080.msp
c:\windows\Installer\6a081.msp
c:\windows\Installer\70f179a.msp
c:\windows\Installer\70f179b.msp
c:\windows\Installer\70f179c.msp
c:\windows\Installer\70f179d.msp
c:\windows\Installer\70f179e.msp
c:\windows\Installer\70f179f.msp
c:\windows\Installer\70f17a0.msp
c:\windows\Installer\70f17a1.msp
c:\windows\Installer\70f17a2.msp
c:\windows\Installer\79fe53e.msp
c:\windows\Installer\79fe53f.msp
c:\windows\Installer\79fe540.msp
c:\windows\Installer\79fe541.msp
c:\windows\Installer\79fe542.msp
c:\windows\Installer\79fe543.msp
c:\windows\Installer\79fe544.msp
c:\windows\Installer\79fe545.msp
c:\windows\Installer\79fe546.msp
c:\windows\Installer\7a71c.msp
c:\windows\Installer\7a71d.msp
c:\windows\Installer\7a71e.msp
c:\windows\Installer\7a71f.msp
c:\windows\Installer\7a720.msp
c:\windows\Installer\7a721.msp
c:\windows\Installer\7a722.msp
c:\windows\Installer\7a723.msp
c:\windows\Installer\7a724.msp
c:\windows\Installer\7c6da83.msp
c:\windows\Installer\7c6da84.msp
c:\windows\Installer\7c6da85.msp
c:\windows\Installer\7c6da86.msp
c:\windows\Installer\7c6da87.msp
c:\windows\Installer\7c6da88.msp
c:\windows\Installer\7c6da89.msp
c:\windows\Installer\7c6da8a.msp
c:\windows\Installer\7c6da8b.msp
c:\windows\Installer\7e01928.msp
c:\windows\Installer\7e01929.msp
c:\windows\Installer\7e0192a.msp
c:\windows\Installer\7e0192b.msp
c:\windows\Installer\7e0192c.msp
c:\windows\Installer\7e0192d.msp
c:\windows\Installer\7e0192e.msp
c:\windows\Installer\7e0192f.msp
c:\windows\Installer\7e01930.msp
c:\windows\Installer\82c6ca6.msp
c:\windows\Installer\82c6ca7.msp
c:\windows\Installer\82c6ca8.msp
c:\windows\Installer\82c6ca9.msp
c:\windows\Installer\82c6caa.msp
c:\windows\Installer\82c6cab.msp
c:\windows\Installer\82c6cac.msp
c:\windows\Installer\82c6cad.msp
c:\windows\Installer\82c6cae.msp
c:\windows\Installer\95aa3a7.msp
c:\windows\Installer\95aa3a8.msp
c:\windows\Installer\95aa3a9.msp
c:\windows\Installer\95aa3aa.msp
c:\windows\Installer\95aa3ab.msp
c:\windows\Installer\95aa3ac.msp
c:\windows\Installer\95aa3ad.msp
c:\windows\Installer\95aa3ae.msp
c:\windows\Installer\95aa3af.msp
c:\windows\Installer\962f1b0.msp
c:\windows\Installer\962f1b1.msp
c:\windows\Installer\962f1b2.msp
c:\windows\Installer\962f1b3.msp
c:\windows\Installer\962f1b4.msp
c:\windows\Installer\962f1b5.msp
c:\windows\Installer\962f1b6.msp
c:\windows\Installer\962f1b7.msp
c:\windows\Installer\962f1b8.msp
c:\windows\Installer\98bfbcb.msp
c:\windows\Installer\98bfbcc.msp
c:\windows\Installer\98bfbcd.msp
c:\windows\Installer\98bfbce.msp
c:\windows\Installer\98bfbcf.msp
c:\windows\Installer\98bfbd0.msp
c:\windows\Installer\98bfbd1.msp
c:\windows\Installer\98bfbd2.msp
c:\windows\Installer\98bfbd3.msp
c:\windows\Installer\9cbc4b6.msp
c:\windows\Installer\9cbc4b7.msp
c:\windows\Installer\9cbc4b8.msp
c:\windows\Installer\9cbc4b9.msp
c:\windows\Installer\9cbc4ba.msp
c:\windows\Installer\9cbc4bb.msp
c:\windows\Installer\9cbc4bc.msp
c:\windows\Installer\9cbc4bd.msp
c:\windows\Installer\9cbc4be.msp
c:\windows\Installer\c3399.msp
c:\windows\Installer\c339a.msp
c:\windows\Installer\c339b.msp
c:\windows\Installer\c339c.msp
c:\windows\Installer\c339d.msp
c:\windows\Installer\c339e.msp
c:\windows\Installer\c339f.msp
c:\windows\Installer\c33a0.msp
c:\windows\Installer\c33a1.msp
c:\windows\Installer\c6ad55.msp
c:\windows\Installer\c6ad56.msp
c:\windows\Installer\c6ad57.msp
c:\windows\Installer\c6ad58.msp
c:\windows\Installer\c6ad59.msp
c:\windows\Installer\c6ad5a.msp
c:\windows\Installer\c6ad5b.msp
c:\windows\Installer\c6ad5c.msp
c:\windows\Installer\c6ad5d.msp
c:\windows\Installer\cef2f65.msp
c:\windows\Installer\cef2f66.msp
c:\windows\Installer\cef2f67.msp
c:\windows\Installer\cef2f68.msp
c:\windows\Installer\cef2f69.msp
c:\windows\Installer\cef2f6a.msp
c:\windows\Installer\cef2f6b.msp
c:\windows\Installer\cef2f6c.msp
c:\windows\Installer\cef2f6d.msp
c:\windows\Installer\d1c63.msp
c:\windows\Installer\d1c64.msp
c:\windows\Installer\d1c65.msp
c:\windows\Installer\d1c66.msp
c:\windows\Installer\d1c67.msp
c:\windows\Installer\d1c68.msp
c:\windows\Installer\d1c69.msp
c:\windows\Installer\d1c6a.msp
c:\windows\Installer\d1c6b.msp
c:\windows\run.log
c:\windows\system32\axaltocm.dll
c:\windows\system32\certstore.dat
c:\windows\system32\drivers\19ba2ed9.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\Install.txt
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Temp\~2E.dll
c:\windows\TEMP\mta13187.dll
c:\windows\TEMP\t4m0_70790121130.bk.old
c:\windows\TEMP\x1c31584.dll

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_MDTDISK
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_6to4
-------\Service_mdtdisk


((((((((((((((((((((((((( Files Created from 2009-09-19 to 2009-10-19 )))))))))))))))))))))))))))))))
.

2009-10-17 12:14 . 2009-10-17 12:28 -------- dc----w- C:\Combo-Fix
2009-10-11 18:26 . 2009-10-13 16:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-08 20:07 . 2009-10-09 10:30 -------- d-----w- c:\documents and settings\Melanie Lewis\.housecall6.6
2009-10-08 19:54 . 2009-10-08 19:54 -------- d-----w- c:\documents and settings\Melanie Lewis\Local Settings\Application Data\Threat Expert
2009-10-08 11:23 . 2006-09-18 20:07 166 -c--a-w- C:\hosts.bat
2009-10-07 11:15 . 2009-10-07 11:15 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2009-10-05 23:17 . 2009-10-05 23:17 -------- dc----w- C:\$AVG8.VAULT$
2009-10-05 22:53 . 2009-10-05 22:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-05 22:52 . 2009-10-05 22:52 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-05 22:52 . 2009-10-05 22:52 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-05 22:52 . 2009-10-05 22:52 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-05 22:52 . 2009-10-11 16:06 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-05 22:52 . 2009-10-05 22:52 -------- d-----w- c:\program files\AVG
2009-10-05 22:52 . 2009-10-17 18:37 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-04 23:22 . 2009-10-04 23:22 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-10-04 15:44 . 2009-10-04 15:48 -------- dc-h--w- c:\windows\ie8
2009-10-03 01:41 . 2009-10-03 01:41 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-10-01 01:26 . 2009-10-01 01:26 -------- d-----w- c:\documents and settings\Melanie Lewis\Application Data\AVG8
2009-10-01 00:43 . 2009-10-01 00:43 -------- dc----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-09-29 18:44 . 2009-09-29 18:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-09-28 22:37 . 2009-09-29 11:58 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-26 23:39 . 2009-10-16 22:14 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 16:21 . 2008-06-29 03:09 -------- dc----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-15 00:57 . 2008-05-31 22:58 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-09 22:44 . 2006-06-21 23:06 -------- d-----w- c:\program files\Spybot - Search & DestroyThis Folder
2009-10-06 20:30 . 2008-11-21 16:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 20:30 . 2006-06-14 04:16 -------- d-----w- c:\program files\Java
2009-10-06 19:22 . 2009-10-06 19:22 0 ----a-w- c:\windows\system32\REN42.tmp
2009-10-04 23:22 . 2009-02-09 04:20 -------- d-----w- c:\program files\MSECACHE
2009-09-30 10:59 . 2009-09-16 15:38 -------- dc----w- c:\documents and settings\All Users\Application Data\14487344
2009-09-29 13:05 . 2006-08-13 05:18 -------- d-----w- c:\program files\Soulseek
2009-09-29 00:47 . 2006-12-06 18:30 20 -c-h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-09-27 16:54 . 2008-09-09 04:27 -------- d-----w- c:\program files\DivX
2009-09-07 18:08 . 2007-03-26 02:34 -------- d--h--w- c:\documents and settings\Melanie Lewis\Application Data\Move Networks
2009-08-27 08:35 . 2006-06-28 21:47 38888 ----a-w- c:\documents and settings\Melanie Lewis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-06 149280]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-06-14 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-09 289576]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-05 2023704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-09-10 393216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-14 24576]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-12-6 118784]
NuvaTime(tm).lnk - c:\program files\NuvaTime\NuvaTime(tm).exe [2004-5-17 1051655]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-05 22:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/5/2009 6:52 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/5/2009 6:52 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/5/2009 6:52 PM 297752]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 1:51 PM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/4/2004 6:00 AM 94208]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/5/2008 1:45 PM 24652]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/5/2009 6:52 PM 908056]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-31 03:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {64D01C7F-810D-446E-A07E-456746835644} - hxxp://games.myspace.com/gameshell/games/channel--110343720/lc--en/room--0fa147b9-5572-440b-8d7d-7813fb7fa3ba/online/abc_island/en/abcisland.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
AddRemove-HijackThis - c:\documents and settings\Melanie Lewis\Desktop\Tool Box\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-19 11:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDll"="c:\windows\system32\BtwSrv.dll\00…dÿÿÿPè›úÿÿ‹ÐMÔ蹎ÿÿMÐèuŽÿÿM˜èÙŽÿÿÇEü\0d\00\00\00‹UԍMØèCŽÿÿhç‹@\00ët‹Eðƒà\04…Àt\08MØèBŽÿÿE¬PE°PE´PE¸PE¼PEÀPEÄPEÈPEÌPEÐPj\0aè+ŽÿÿƒÄ,M¨èVŽÿÿ…xÿÿÿPEˆPE˜Pj\03èjŽÿÿƒÄ\10…tÿÿÿPj\00èçÿÿÍMÔè؍ÿÿËEØ‹Màd‰\0d\00\00\00\00_^
[ÉÂ\04\00è ÿÿU‹ìƒì\14h\16\19@\00d"

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1516)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-19 11:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-19 15:36

Pre-Run: 3,842,203,648 bytes free
Post-Run: 4,813,504,512 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

1185 --- E O F --- 2009-10-19 13:00


The HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:23 PM, on 10/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\NuvaTime\NuvaTime(tm).exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Melanie Lewis\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: NuvaTime(tm).lnk = C:\Program Files\NuvaTime\NuvaTime(tm).exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-456746835644} (AtlBoxWordCtlAttrib Class) - http://games.myspace.com/gameshell/...13fb7fa3ba/online/abc_island/en/abcisland.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159578987937
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Sigma Designs In - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9731 bytes
 
Hi,

c:\program files\Soulseek <-- This a is most likely how you got infected, File Sharing programs have become the latest source of infections, think about it, your downloading a file from an unknown source, its like playing Russian Roulette malwarewise.



Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, it installs without your knowledge or consent, is considered Adware, uses system resources and is not needed for anything.




Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::


Code: 
File::
C:\WINDOWS\system32\BtwSrv.dll 
c:\windows\system32\REN42.tmp
c:\documents and settings\Melanie Lewis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.





Please download Malwarebytes' Anti-Malware from Here or Here

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    post_a4255_MBAM.PNG
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please


Post the new Combofix log, the Malwarebytes log and a new HJT log please
 
I removed two programs that had Viewpoint in the name. Proceeded to save CFScript to my desktop. When I tried to drop it into ComboFix and ComboFix prepared to run, I received an error message to the effect that CFScript was mispelled.

I tried running ComboFix again and it appeared to go well. The outcome is listed here:

ComboFix 09-10-18.03 - Melanie Lewis 10/19/2009 22:52.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.596 [GMT -4:00]
Running from: c:\documents and settings\Melanie Lewis\Desktop\ComboFix.exe
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\MELANI~1\LOCALS~1\Temp\rdC.tmp\____mmfp.ocx
c:\documents and settings\Melanie Lewis\Local Settings\Temp\rdC.tmp\____mmfp.ocx
c:\windows\TEMP\mta13187.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-20 to 2009-10-20 )))))))))))))))))))))))))))))))
.

2009-10-17 12:14 . 2009-10-17 12:28 -------- dc----w- C:\Combo-Fix
2009-10-11 18:26 . 2009-10-13 16:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-08 20:07 . 2009-10-09 10:30 -------- d-----w- c:\documents and settings\Melanie Lewis\.housecall6.6
2009-10-08 19:54 . 2009-10-08 19:54 -------- d-----w- c:\documents and settings\Melanie Lewis\Local Settings\Application Data\Threat Expert
2009-10-08 11:23 . 2006-09-18 20:07 166 -c--a-w- C:\hosts.bat
2009-10-07 11:15 . 2009-10-07 11:15 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2009-10-05 23:17 . 2009-10-05 23:17 -------- dc----w- C:\$AVG8.VAULT$
2009-10-05 22:53 . 2009-10-05 22:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-05 22:52 . 2009-10-05 22:52 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-05 22:52 . 2009-10-05 22:52 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-05 22:52 . 2009-10-05 22:52 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-05 22:52 . 2009-10-11 16:06 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-05 22:52 . 2009-10-05 22:52 -------- d-----w- c:\program files\AVG
2009-10-05 22:52 . 2009-10-17 18:37 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-04 23:22 . 2009-10-04 23:22 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-10-04 15:44 . 2009-10-04 15:48 -------- dc-h--w- c:\windows\ie8
2009-10-03 01:41 . 2009-10-03 01:41 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-10-01 01:26 . 2009-10-01 01:26 -------- d-----w- c:\documents and settings\Melanie Lewis\Application Data\AVG8
2009-10-01 00:43 . 2009-10-01 00:43 -------- dc----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-09-29 18:44 . 2009-09-29 18:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-09-28 22:37 . 2009-09-29 11:58 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-26 23:39 . 2009-10-19 15:27 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-20 02:29 . 2006-06-14 04:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-18 16:21 . 2008-06-29 03:09 -------- dc----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-15 00:57 . 2008-05-31 22:58 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-09 22:44 . 2006-06-21 23:06 -------- d-----w- c:\program files\Spybot - Search & DestroyThis Folder
2009-10-06 20:30 . 2008-11-21 16:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 20:30 . 2006-06-14 04:16 -------- d-----w- c:\program files\Java
2009-10-06 19:22 . 2009-10-06 19:22 0 ----a-w- c:\windows\system32\REN42.tmp
2009-10-04 23:22 . 2009-02-09 04:20 -------- d-----w- c:\program files\MSECACHE
2009-09-30 10:59 . 2009-09-16 15:38 -------- dc----w- c:\documents and settings\All Users\Application Data\14487344
2009-09-29 13:05 . 2006-08-13 05:18 -------- d-----w- c:\program files\Soulseek
2009-09-29 00:47 . 2006-12-06 18:30 20 -c-h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-09-27 16:54 . 2008-09-09 04:27 -------- d-----w- c:\program files\DivX
2009-09-07 18:08 . 2007-03-26 02:34 -------- d--h--w- c:\documents and settings\Melanie Lewis\Application Data\Move Networks
2009-08-27 08:35 . 2006-06-28 21:47 38888 ----a-w- c:\documents and settings\Melanie Lewis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-19_15.31.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-20 03:02 . 2009-10-20 03:02 16384 c:\windows\temp\Perflib_Perfdata_718.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-06 149280]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-06-14 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-09 289576]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-05 2023704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-09-10 393216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-14 24576]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-12-6 118784]
NuvaTime(tm).lnk - c:\program files\NuvaTime\NuvaTime(tm).exe [2004-5-17 1051655]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-05 22:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/5/2009 6:52 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/5/2009 6:52 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/5/2009 6:52 PM 297752]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 1:51 PM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/4/2004 6:00 AM 94208]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/5/2009 6:52 PM 908056]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-31 03:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {64D01C7F-810D-446E-A07E-456746835644} - hxxp://games.myspace.com/gameshell/games/channel--110343720/lc--en/room--0fa147b9-5572-440b-8d7d-7813fb7fa3ba/online/abc_island/en/abcisland.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-19 23:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDll"="c:\windows\system32\BtwSrv.dll\00…dÿÿÿPè›úÿÿ‹ÐMÔ蹎ÿÿMÐèuŽÿÿM˜èÙŽÿÿÇEü\0d\00\00\00‹UԍMØèCŽÿÿhç‹@\00ët‹Eðƒà\04…Àt\08MØèBŽÿÿE¬PE°PE´PE¸PE¼PEÀPEÄPEÈPEÌPEÐPj\0aè+ŽÿÿƒÄ,M¨èVŽÿÿ…xÿÿÿPEˆPE˜Pj\03èjŽÿÿƒÄ\10…tÿÿÿPj\00èçÿÿÍMÔè؍ÿÿËEØ‹Màd‰\0d\00\00\00\00_^
[ÉÂ\04\00è ÿÿU‹ìƒì\14h\16\19@\00d"

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3000)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\combofix\CF6278.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-20 23:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-20 03:08
ComboFix2.txt 2009-10-19 15:36

Pre-Run: 4,777,717,760 bytes free
Post-Run: 4,750,938,112 bytes free

- - End Of File - - 72A307B76CBF634BFAA5EAEAD86BACF9


The HijackThis file was:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:01 PM, on 10/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\NuvaTime\NuvaTime(tm).exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Melanie Lewis\Desktop\Spybot Working Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: NuvaTime(tm).lnk = C:\Program Files\NuvaTime\NuvaTime(tm).exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-456746835644} (AtlBoxWordCtlAttrib Class) - http://games.myspace.com/gameshell/...13fb7fa3ba/online/abc_island/en/abcisland.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159578987937
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Sigma Designs In - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9438 bytes

When I went to download Malwarebytes, however, I got an error message to the effect that Trojan Horse PSW.Banker5.Z0Y was present. When I requested that it be "cured" I got a message to the effect that some files could not be healed...

I hope I have not infected another one of my computers while trying to fix my daughter's!
 
Hi,

I need you to run Malwarebytes. After were done here you can post in the forum for your other computer.

You can run this one if Malwarebytes gives you a problem

Please download SuperAntiSpyware Free
Install the program
  • Run SuperAntiSpyware and click: Check for updates
  • Once the update is finished, on the main screen, click: Scan your computer
  • Check: Perform Complete Scan
  • Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next <-- Important
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
  • Click: Preferences
  • Click the Statistics/Logs tab
  • Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
 
SUPERAntiSpyware and HijackThis Logs

Good morning! Here are the two logs. I was unable to download Malwarebytes. Thankfully the alternate Spyware program worked.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/20/2009 at 07:57 AM

Application Version : 4.29.1004

Core Rules Database Version : 4175
Trace Rules Database Version: 2094

Scan type : Complete Scan
Total Scan Time : 00:47:20

Memory items scanned : 487
Memory threats detected : 1
Registry items scanned : 5204
Registry threats detected : 0
File items scanned : 22380
File threats detected : 57

Trojan.Agent/Gen-Virut[FNS]
C:\WINDOWS\SYSTEM32\FASTNETSRV.EXE
C:\WINDOWS\SYSTEM32\FASTNETSRV.EXE
C:\WINDOWS\Prefetch\FASTNETSRV.EXE-17B57F56.pf

Adware.Tracking Cookie
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.sun[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@a1.interclick[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@a1.interclick[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@accounts.pkr[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ad.m5prod[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@adinterax[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.adap[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.fatvine[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.funadvice[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.ireport[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.lucidmedia[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.mediamayhemcorp[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.techguy[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.undertone[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.widgetbucks[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@adtracker.americantowns[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@bizrate[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@caloriecount.about[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@cdnh.tremormedia[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@cdnh.tremormedia[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@cdnh.tremormedia[3].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@chitika[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@clicksor[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@collective-media[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@dc.tremormedia[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@elitecme[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@hairfinder[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@imediablast[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@interclick[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@intermundomedia[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@invitemedia[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@invitemedia[3].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@lfstmedia[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@media-bucket[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@media6degrees[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@myaccount.bellsouth[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@optimize.indieclick[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@qnsr[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@richmedia.yahoo[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@socialmedia[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@specificmedia[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@www.findyourspot[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@www.googleadservices[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@www.googleadservices[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@www.googleadservices[4].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@www.googleadservices[5].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@www.googleadservices[6].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@www.googleadservices[7].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@www.hairfinder[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\system@media6degrees[2].txt

Adware.Media-Codec/ZLob
C:\Program Files\Applications

Trojan.Agent/Gen
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EVENTLOG.DLL.VIR

Rootkit.Agent/Gen-DiskFake
C:\WINDOWS\SYSTEM32\MDTDISK.SYS

Trojan.Agent/Gen-WIWOW64
C:\WINDOWS\SYSTEM32\WMDTC.EXE
C:\WINDOWS\Prefetch\WMDTC.EXE-3367E9ED.pf


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:24 AM, on 10/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\NuvaTime\NuvaTime(tm).exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Melanie Lewis\Desktop\Spybot Working Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: NuvaTime(tm).lnk = C:\Program Files\NuvaTime\NuvaTime(tm).exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-456746835644} (AtlBoxWordCtlAttrib Class) - http://games.myspace.com/gameshell/...13fb7fa3ba/online/abc_island/en/abcisland.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159578987937
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Unknown owner - C:\WINDOWS\system32\FastNetSrv.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9821 bytes


I will be gone most of the day but will look for a response this evening.
 
One more scan

Download Dr.Web CureIt to the desktop:
  • Doubleclick the drweb-cureit icon to start the program.
  • press start
  • Allow the program to run the initial express scan
  • This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
    Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
  • Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
  • Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
  • During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.

    • Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
  • Once the scan is complete, on the menu bar, click file and choose report list.
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
  • Close Dr.Web Cureit.
  • Please post the Dr.Web.txt report in your next reply
 
Dr. Web CureIt Log

I lost power right after the express scan was completed and had to reboot. The express scan found one item. The full scan took a long time because I was not able to be around to acknowledge each infection found. The log for the full scan follows:

InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably DLOADER.Trojan;;
3 Months Free NetZero.exe;C:\Program Files\Dell\Launcher\files;Trojan.Click.1487;Deleted.;
A0006833.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP16;Trojan.DownLoad.47474;Deleted.;
A0011971.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP17;Trojan.Click.1487;Deleted.;

Again, thanks for your help.
 
Current Condition

Hi Ken545,

I can't tell how things are running now since I have no Spybot Search and Destroy, etc. The main thing is that when I try to use Internet Explorer I get the old "Windows cannot access the specified device, path or file..." error message. I am assuming that this is the result of the rootkit infection that was present.

I am not sure that I know how to try to reload IE so that I can get Spybot and some of the other programs running.

Which of all the programs you had me download, if any, should stay on the machine we have been working on. I see that I have SuperAntiSpyware in the systray.
 
You have a marker in your log for a serious infection, this is what I would like you to do.

First I would like you to run Dr Web, I need to see the complete report.

Then do this.

Open notepad and then copy and paste the bolded lines below into Notepad.
Go to File > save as and name the file fixes.bat.
Change the Save as type to all files and save it to your desktop.

@echo off
sc stop fastnetsrv
sc delete fastnetsrv

Double-click on fixes.bat file to execute it.

Reboot and post a fresh hjt log.
 
New HijackThis and DrWeb Logs

Yesterday, I wasn't sure whther I should merely exit Dr. Web when it was finished and the report filed or whether I should have done something about IntallHelper.exe that seemed to be just sitting there.

Today, I debated whether to try to cure it but was not sure whether to rename, delete, or move it so I exited without neutralizing the threat before closing as I did yesterday.

I don't know what InstallHelper is supposed to do or how critical it is for my daughter. If it is legitimate and got infected, I suppose it can always be obtained again from the original source.

The log for Dr Web is:

InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably DLOADER.Trojan;;

The HijackThis log made after running Fixes:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:24 AM, on 10/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\NuvaTime\NuvaTime(tm).exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Melanie Lewis\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: NuvaTime(tm).lnk = C:\Program Files\NuvaTime\NuvaTime(tm).exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-456746835644} (AtlBoxWordCtlAttrib Class) - http://games.myspace.com/gameshell/...13fb7fa3ba/online/abc_island/en/abcisland.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159578987937
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9740 bytes
 
Hi,

That file most likely is ok. I was looking for something else but since Dr Web didn't find anything it looks like your good to go.

You can delete all the tools we used in the beginning, win32kdiag, inherit , just drag them to the trash.

RootRepeal <---Drag it to the trash

TFC <--Yours to keep, run it about once aweek to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • CF_Cleanup.png

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Click to expand...


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.6
    Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  • IE-Spyad
    IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


Safe Surfn
Ken
 
The End Is Near???

Ken:

Many thanks for your help and for the suggested reading. I will make sure my daughter learns more about safe computing.

I still have on the computer:

SuperAntiSpyware
HiJackThis
DrWeb-CureIt

None are listed in the uninstall list in Control Panel and have no obvious way to uninstall.

If I don't need to keep them, is it sufficient to merely delete these programs from the desktop?

You mention TFC and that I should run it once a week to clean out the clutter. Which program is this?

I shall be working to gain access to the Internet so that I can install Spybot, AVG, etc.

Again, many thanks. I will be returning to the forum with a question on my computer that I believe may have gotten infected in the process of fixing my daughter's.
 
You must log in or register to reply here.
Back
Top