Attached Files
-
Attach.txt 19.66KB
384 downloads
WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
[Closed] spontaneous shut down and slow running
Started by
ephillips
, Apr 29 2010 09:11 AM
-
This topic is locked
19 replies to this topic
#1
ephillips
-
- Authentic Member
-
- 39 posts
Authentic Member
Posted 29 April 2010 - 09:11 AM
Register to Remove
#2
JonTom
-
- Malware Team
-
- 5,496 posts
Teacher Emeritus
Posted 29 April 2010 - 03:33 PM
Hello ephillips and 
My name is JonTom.
My name is JonTom.
- Malware Logs can sometimes take a lot of time to research and interpret.
- Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
- Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
- Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
- PLEASE NOTE: If you do not reply after 5 days your thread will be closed.
- Please be aware that I am still in training, and all of my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advice.
- This may cause a delay in response time, but I will do my best to keep it as short as possible.
- I will reply back shortly with instructions.
Would you like to help others? Join the Classroom and learn how.
Member of UNITE
Proud Graduate of the WTT Classroom
Member of UNITE
Proud Graduate of the WTT Classroom
#3
JonTom
-
- Malware Team
-
- 5,496 posts
Teacher Emeritus
Posted 30 April 2010 - 05:23 AM
Hello ephillips
Thank you for the logs. Before we begin cleaning your system, please work your way through the following steps:
Thank you for the logs. Before we begin cleaning your system, please work your way through the following steps:
- Security Programs
- I can see from your log that you have a number of real-time security programs running, namely Ad-Aware, SpywareGuard v2.2 and AVG.
- Whilst both of these programs provide good security, they may clash with each other which can leave your system vulnerable to infection.
- Please make sure that you only have ONE Firewall and ONE real-time Antivirus running on your system.
- GMER
- If you are having trouble getting GMER to complete a scan, please run it again, but this time uncheck everything EXCEPT "Sections" and "C:\".
- If GMER does not produce a log please try running it from Safe Mode:
- How to use the F8 method to Start Your Computer in Safe Mode
- Restart your computer.
- As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
- Use the arrow keys to select the Safe mode menu item.
- Press Enter.
- If GMER in safe mode does not work, please try RootRepeal:
- RootRepeal
- Please download RootRepeal to your desktop
- Physically disconnect your machine from the internet as your system will be unprotected.
- Unzip it to it's own folder, close all other programs especially your security programs (anti-spyware, anti-virus, and firewall) and run RootRepeal.exe
- Click the Report tab at the bottom and then the Scan button.
- A box will pop up, check the boxes beside Drivers, Files, Processes SSDT and click OK.
- Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
- The scan will take a little while to run, so let it go unhindered.
- Once it is done, click the "Save Report" button, call it RepealScan and save the log to your desktop.
- Reconnect to the internet.
Please provide the GMER/Rootrepeal log in your next reply. If you are still having trouble, come back and let me know.
Would you like to help others? Join the Classroom and learn how.
Member of UNITE
Proud Graduate of the WTT Classroom
Member of UNITE
Proud Graduate of the WTT Classroom
#4
ephillips
-
- Authentic Member
-
- 39 posts
Authentic Member
Posted 30 April 2010 - 03:54 PM
I removed the SpyGuard program & restarted. I can't run the Gmer scan. I started the computer in the safe mode 4 times and it would shut off before the windows start up page would even come up. I started it in the normal mode, and started Gmer scan and it sut down again. Is there something else I can do right now before the Gmer scan?
#5
JonTom
-
- Malware Team
-
- 5,496 posts
Teacher Emeritus
Posted 01 May 2010 - 05:25 AM
Hello ephillips
Thank you for letting me know. The Malware on your system is interfering with our tools.
Please try the following before running GMER.
Thank you for letting me know. The Malware on your system is interfering with our tools.
Please try the following before running GMER.
- DeFogger
- Please download DeFogger to your desktop.
- Double click DeFogger to run the tool.
- The application window will appear
- Click the Disable button to disable your CD Emulation drivers
- Click Yes to continue
- A 'Finished!' message will appear
- Click OK
- DeFogger will now ask to reboot the machine - click OK
Do not re-enable these drivers until otherwise instructed.
- exeHelper
- Please download exeHelper by clicking here and save the file (called exeHelper.com) to your desktop.
- Double click on exeHelper.com to run the fix.
- A black window should pop up. Press any key to close once the fix is completed.
- Post the contents of log.txt (it Will be created in the directory where you ran exeHelper.com).
- NOTE: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
If you are still having trouble running GMER, try running RootRepeal (instructions in previous post).
Post the logs if they are created, otherwise come back and we will try something else
Would you like to help others? Join the Classroom and learn how.
Member of UNITE
Proud Graduate of the WTT Classroom
Member of UNITE
Proud Graduate of the WTT Classroom
#6
ephillips
-
- Authentic Member
-
- 39 posts
Authentic Member
Posted 02 May 2010 - 08:28 PM
I ran RootRepeal and will post the log for you here and also the defogger log. Also I ran GMER 7 times, each time it shuts down. While out of the house today, tried to perform a system restore to a date in March and "Did some other things to figure out why its shutting down" and then proceeded to downloand a few applications without telling me. I have deleted those applications and also re-ran ERUNT, DDs, Defogger, exehelper & the malwarebyte scans and have those logs as well if you need them. Here is the RootReport & Defogger log
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/05/02 21:12
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xB80C8000 Size: 57344 File Visible: - Signed: -
Status: -
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xB7F79000 Size: 187776 File Visible: - Signed: -
Status: -
Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -
Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xA81D6000 Size: 138496 File Visible: - Signed: -
Status: -
Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xAD982000 Size: 60800 File Visible: - Signed: -
Status: -
Name: ASACPI.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ASACPI.sys
Address: 0xB85F2000 Size: 5152 File Visible: - Signed: -
Status: -
Name: atapi.sys
Image Path: atapi.sys
Address: 0xB7F31000 Size: 96512 File Visible: - Signed: -
Status: -
Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -
Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xB8721000 Size: 3072 File Visible: - Signed: -
Status: -
Name: avgldx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys
Address: 0xA80EA000 Size: 328576 File Visible: - Signed: -
Status: -
Name: avgmfx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Address: 0xAC1CD000 Size: 21120 File Visible: - Signed: -
Status: -
Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xB8660000 Size: 4224 File Visible: - Signed: -
Status: -
Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xB84B8000 Size: 12288 File Visible: - Signed: -
Status: -
Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xAA856000 Size: 63744 File Visible: - Signed: -
Status: -
Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xB8258000 Size: 62976 File Visible: - Signed: -
Status: -
Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xB8118000 Size: 53248 File Visible: - Signed: -
Status: -
Name: disk.sys
Image Path: disk.sys
Address: 0xB8108000 Size: 36352 File Visible: - Signed: -
Status: -
Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xAD9C2000 Size: 61440 File Visible: - Signed: -
Status: -
Name: dump_nvata.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvata.sys
Address: 0xA24B1000 Size: 102400 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB864E000 Size: 8192 File Visible: No Signed: -
Status: -
Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xA3244000 Size: 12288 File Visible: - Signed: -
Status: -
Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBD000000 Size: 73728 File Visible: - Signed: -
Status: -
Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xB8734000 Size: 4096 File Visible: - Signed: -
Status: -
Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xB8430000 Size: 27392 File Visible: - Signed: -
Status: -
Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xAD972000 Size: 44544 File Visible: - Signed: -
Status: -
Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xAE956000 Size: 20480 File Visible: - Signed: -
Status: -
Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xB7EE0000 Size: 129792 File Visible: - Signed: -
Status: -
Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xB865E000 Size: 7936 File Visible: - Signed: -
Status: -
Name: fssfltr_tdi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
Address: 0xB5430000 Size: 48128 File Visible: - Signed: -
Status: -
Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xB7F49000 Size: 125056 File Visible: - Signed: -
Status: -
Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Address: 0xB8450000 Size: 21120 File Visible: - Signed: -
Status: -
Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000 Size: 134400 File Visible: - Signed: -
Status: -
Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB6672000 Size: 163840 File Visible: - Signed: -
Status: -
Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xAD962000 Size: 36864 File Visible: - Signed: -
Status: -
Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xAE92E000 Size: 28672 File Visible: - Signed: -
Status: -
Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xAD2F9000 Size: 10368 File Visible: - Signed: -
Status: -
Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xA1DFC000 Size: 265728 File Visible: - Signed: -
Status: -
Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xB8238000 Size: 52480 File Visible: - Signed: -
Status: -
Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xB8248000 Size: 42112 File Visible: - Signed: -
Status: -
Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xB8218000 Size: 36352 File Visible: - Signed: -
Status: -
Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xA81F8000 Size: 152832 File Visible: - Signed: -
Status: -
Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xA82C7000 Size: 75264 File Visible: - Signed: -
Status: -
Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xB80A8000 Size: 37248 File Visible: - Signed: -
Status: -
Name: JGOGO.sys
Image Path: JGOGO.sys
Address: 0xB85AC000 Size: 6912 File Visible: - Signed: -
Status: -
Name: jraid.sys
Image Path: jraid.sys
Address: 0xB80F8000 Size: 43648 File Visible: - Signed: -
Status: -
Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xB8438000 Size: 24576 File Visible: - Signed: -
Status: -
Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xB85A8000 Size: 8192 File Visible: - Signed: -
Status: -
Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB669A000 Size: 143360 File Visible: - Signed: -
Status: -
Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xB7EB7000 Size: 92928 File Visible: - Signed: -
Status: -
Name: Lbd.sys
Image Path: Lbd.sys
Address: 0xB8128000 Size: 57472 File Visible: - Signed: -
Status: -
Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xB8662000 Size: 4224 File Visible: - Signed: -
Status: -
Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xB8458000 Size: 30080 File Visible: - Signed: -
Status: -
Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xB8478000 Size: 23040 File Visible: - Signed: -
Status: -
Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xAD2F5000 Size: 12160 File Visible: - Signed: -
Status: -
Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xB80D8000 Size: 42368 File Visible: - Signed: -
Status: -
Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xA1F2D000 Size: 180608 File Visible: - Signed: -
Status: -
Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xA813B000 Size: 455680 File Visible: - Signed: -
Status: -
Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xAE93E000 Size: 19072 File Visible: - Signed: -
Status: -
Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xB7AA6000 Size: 35072 File Visible: - Signed: -
Status: -
Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xB70EE000 Size: 15488 File Visible: - Signed: -
Status: -
Name: Mup.sys
Image Path: Mup.sys
Address: 0xB7DE3000 Size: 105344 File Visible: - Signed: -
Status: -
Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xB7DFD000 Size: 182656 File Visible: - Signed: -
Status: -
Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xB855C000 Size: 10112 File Visible: - Signed: -
Status: -
Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xB85A0000 Size: 14592 File Visible: - Signed: -
Status: -
Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB6543000 Size: 91520 File Visible: - Signed: -
Status: -
Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xB81D8000 Size: 40576 File Visible: - Signed: -
Status: -
Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xAD992000 Size: 34688 File Visible: - Signed: -
Status: -
Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xA821E000 Size: 162816 File Visible: - Signed: -
Status: -
Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xB8278000 Size: 61824 File Visible: - Signed: -
Status: -
Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xAE936000 Size: 30848 File Visible: - Signed: -
Status: -
Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xB7E2A000 Size: 574976 File Visible: - Signed: -
Status: -
Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -
Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xAD1EE000 Size: 2944 File Visible: - Signed: -
Status: -
Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBD012000 Size: 6361088 File Visible: - Signed: -
Status: -
Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xB6709000 Size: 10276768 File Visible: - Signed: -
Status: -
Name: nvata.sys
Image Path: nvata.sys
Address: 0xB7F18000 Size: 100736 File Visible: - Signed: -
Status: -
Name: NVENETFD.sys
Image Path: C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
Address: 0xB7662000 Size: 54784 File Visible: - Signed: -
Status: -
Name: nvnetbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
Address: 0xB8288000 Size: 40960 File Visible: - Signed: -
Status: -
Name: NVNRM.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\NVNRM.SYS
Address: 0xB6588000 Size: 958464 File Visible: - Signed: -
Status: -
Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xB80B8000 Size: 61696 File Visible: - Signed: -
Status: -
Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xB66E1000 Size: 80128 File Visible: - Signed: -
Status: -
Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xB8330000 Size: 19712 File Visible: - Signed: -
Status: -
Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xB8646000 Size: 6784 File Visible: - Signed: -
Status: -
Name: pci.sys
Image Path: pci.sys
Address: 0xB7F68000 Size: 68224 File Visible: - Signed: -
Status: -
Name: pciide.sys
Image Path: pciide.sys
Address: 0xB8670000 Size: 3328 File Visible: - Signed: -
Status: -
Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xB8328000 Size: 28672 File Visible: - Signed: -
Status: -
Name: PdiPorts.sys
Image Path: C:\WINDOWS\System32\Drivers\PdiPorts.sys
Address: 0xB70F2000 Size: 8960 File Visible: - Signed: -
Status: -
Name: pfc.sys
Image Path: C:\WINDOWS\system32\drivers\pfc.sys
Address: 0xB8554000 Size: 9856 File Visible: - Signed: -
Status: -
Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -
Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xA82FA000 Size: 147456 File Visible: - Signed: -
Status: -
Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB6532000 Size: 69120 File Visible: - Signed: -
Status: -
Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xB8468000 Size: 17792 File Visible: - Signed: -
Status: -
Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xB8138000 Size: 36320 File Visible: - Signed: -
Status: -
Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xAFB98000 Size: 8832 File Visible: - Signed: -
Status: -
Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xB82A8000 Size: 51328 File Visible: - Signed: -
Status: -
Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xB7AC6000 Size: 41472 File Visible: - Signed: -
Status: -
Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xB7AB6000 Size: 48384 File Visible: - Signed: -
Status: -
Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xB8470000 Size: 16512 File Visible: - Signed: -
Status: -
Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -
Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xA81AB000 Size: 175744 File Visible: - Signed: -
Status: -
Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xB8664000 Size: 4224 File Visible: - Signed: -
Status: -
Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xB8268000 Size: 57600 File Visible: - Signed: -
Status: -
Name: RootMdm.sys
Image Path: C:\WINDOWS\System32\Drivers\RootMdm.sys
Address: 0xB85F6000 Size: 5888 File Visible: - Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA044A000 Size: 49152 File Visible: No Signed: -
Status: -
Name: RtkHDAud.sys
Image Path: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Address: 0xA831E000 Size: 4225920 File Visible: - Signed: -
Status: -
Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Address: 0xB7F00000 Size: 98304 File Visible: - Signed: -
Status: -
Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xB8550000 Size: 15744 File Visible: - Signed: -
Status: -
Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xB8228000 Size: 64512 File Visible: - Signed: -
Status: -
Name: sr.sys
Image Path: sr.sys
Address: 0xB7ECE000 Size: 73472 File Visible: - Signed: -
Status: -
Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xA1D55000 Size: 353792 File Visible: - Signed: -
Status: -
Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xB85F8000 Size: 4352 File Visible: - Signed: -
Status: -
Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xAA866000 Size: 60800 File Visible: - Signed: -
Status: -
Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xA826E000 Size: 361600 File Visible: - Signed: -
Status: -
Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xB8460000 Size: 20480 File Visible: - Signed: -
Status: -
Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xB7A96000 Size: 40704 File Visible: - Signed: -
Status: -
Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB64D4000 Size: 384768 File Visible: - Signed: -
Status: -
Name: USBD.SYS
Image Path: C:\WINDOWS\system32\drivers\USBD.SYS
Address: 0xB85F4000 Size: 8192 File Visible: - Signed: -
Status: -
Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xB8448000 Size: 30208 File Visible: - Signed: -
Status: -
Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xAD9B2000 Size: 59520 File Visible: - Signed: -
Status: -
Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xB8440000 Size: 17152 File Visible: - Signed: -
Status: -
Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB66BD000 Size: 147456 File Visible: - Signed: -
Status: -
Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xAE946000 Size: 20992 File Visible: - Signed: -
Status: -
Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB66F5000 Size: 81920 File Visible: - Signed: -
Status: -
Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xB80E8000 Size: 52352 File Visible: - Signed: -
Status: -
Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xAD9A2000 Size: 34560 File Visible: - Signed: -
Status: -
Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xA2BC7000 Size: 20480 File Visible: - Signed: -
Status: -
Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA224C000 Size: 83072 File Visible: - Signed: -
Status: -
Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -
Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -
Name: windrvr6.sys
Image Path: C:\WINDOWS\system32\drivers\windrvr6.sys
Address: 0xB655A000 Size: 186592 File Visible: - Signed: -
Status: -
Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xB85AA000 Size: 8192 File Visible: - Signed: -
Status: -
Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -
Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xAD311000 Size: 12032 File Visible: - Signed: -
Status: -
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 20:50 on 02/05/2010 (Erin)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-:
#7
JonTom
-
- Malware Team
-
- 5,496 posts
Teacher Emeritus
Posted 03 May 2010 - 11:55 AM
Hello ephillips
Thank you for letting me know. I would like to see the logs that exehelper and MBAM produced. Please do not run anymore tools unless requested.
Also, please scan your system with DDS once more and post the log (along with exehelper and MBAM) in your next reply.
also re-ran ERUNT, DDs, Defogger, exehelper & the malwarebyte scans and have those logs as well if you need them.
Thank you for letting me know. I would like to see the logs that exehelper and MBAM produced. Please do not run anymore tools unless requested.
Also, please scan your system with DDS once more and post the log (along with exehelper and MBAM) in your next reply.
Would you like to help others? Join the Classroom and learn how.
Member of UNITE
Proud Graduate of the WTT Classroom
Member of UNITE
Proud Graduate of the WTT Classroom
#8
ephillips
-
- Authentic Member
-
- 39 posts
Authentic Member
Posted 03 May 2010 - 01:17 PM
Here is the MBAM, exehelper & DDS / Attach logs:
Malwarebytes' Anti-Malware 1.28
Database version: 1159
Windows 5.1.2600 Service Pack 3
5/3/2010 3:14:10 PM
mbam-log-2010-05-03 (15-14-10).txt
Scan type: Quick Scan
Objects scanned: 58512
Time elapsed: 7 minute(s), 20 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
exeHelper by Raktor
Build 20100414
Run at 21:13:45 on 05/02/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
exeHelper by Raktor
Build 20100414
Run at 22:17:47 on 05/02/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
DDS (Ver_09-06-26.01) - NTFSx86
Run by Erin at 15:05:21.93 on Mon 05/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1146 [GMT -4:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Corel\Standby\Standby.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 5300 Series\lxdkmon.exe
C:\Program Files\Lexmark 5300 Series\lxdkamon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe
C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdkserv.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\lxdkcoms.exe
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Erin\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://aol.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\SearchSettings.dll
BHO: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\ie\4.0.2\dealioToolbarIE.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\SearchSettings.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\ie\4.0.2\dealioToolbarIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {E16DC1FE-7C34-43F2-B754-F3AD12DDF97C} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.4; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)" -"http://www.cartoonne...ack/index.html"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START
mRun: [SkyTel] SkyTel.EXE
mRun: [SearchSettings] c:\program files\search settings\SearchSettings.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [lxdkmon.exe] "c:\program files\lexmark 5300 series\lxdkmon.exe"
mRun: [lxdkamon] "c:\program files\lexmark 5300 series\lxdkamon.exe"
mRun: [Lexmark 5300 Series Fax Server] "c:\program files\lexmark 5300 series\fm3032.exe" /s
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [JMB36X Configure] c:\windows\system32\JMRaidSetup.exe boot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [fadagohar] Rundll32.exe "c:\windows\system32\kabifoti.dll",a
mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder
mRun: [DACSMiniApp] c:\program files\fisher-price\dacs\miniapp\DACSMiniApp.exe
mRun: [Corel File Shell Monitor] c:\program files\corel\corel paintshop photo pro\x3\pspclassic\CorelIOMonitor.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\erin\startm~1\programs\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe
StartupFolder: c:\docume~1\erin\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\erin\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\erin\startm~1\programs\startup\picaboo.lnk - c:\program files\picaboo\picaboo\PicabooMain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq005.webiqonline.com/WebIQ/DataServer/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/binary/MJSS.cab69309.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197724327218
DPF: {6BF35011-3AE5-44D3-A8BB-73ED462A0BC0} - hxxp://ezprints.mye-pix.com/software/ezuploader.cab
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://upload.smugmug.com/photos/activex/ImageUploader4-082807.cab
DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - hxxp://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {B87A4DE2-57A3-41CA-8781-89D43EA6EEF4} - hxxp://videomessages.live.com/Portal/ClientBin/VCaptCtl.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
DPF: {D53A9247-2FEA-4E93-8EEE-9A9B07E8D760} - hxxp://www.ezprints.com/software/cropfit.cab
DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - hxxp://messenger.zone.msn.com/binary/WoF.cab57176.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: wawavara.dll c:\windows\system32\kabifoti.dll c:\windows\system32\hedafatu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: hugamunom - {592b04eb-0fcc-44a0-847b-5a47513fd919} - c:\windows\system32\hedafatu.dll
SSODL: gobavivoj - {c9cac425-2a87-4d7b-a4b8-66798831dd86} - c:\windows\system32\hedafatu.dll
SSODL: merojozus - {610a94d8-9e65-4e3d-8412-ac72ea780a1e} - c:\windows\system32\hedafatu.dll
SSODL: muwarakos - {92ade6b1-c695-4db2-b6b2-caaa3e2237e1} - c:\windows\system32\hedafatu.dll
SSODL: zamezakif - {63431ed0-8fe0-4fd2-8913-5d13302864de} - c:\windows\system32\kabifoti.dll
STS: kupuhivus: {592b04eb-0fcc-44a0-847b-5a47513fd919} - c:\windows\system32\hedafatu.dll
STS: jugezatag: {c9cac425-2a87-4d7b-a4b8-66798831dd86} - c:\windows\system32\hedafatu.dll
STS: mujuzedij: {610a94d8-9e65-4e3d-8412-ac72ea780a1e} - c:\windows\system32\hedafatu.dll
STS: kupuhivus: {92ade6b1-c695-4db2-b6b2-caaa3e2237e1} - c:\windows\system32\hedafatu.dll
STS: tokatiluy: {63431ed0-8fe0-4fd2-8913-5d13302864de} - c:\windows\system32\kabifoti.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli jubimiso.dll
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-25 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-2 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-12-15 27784]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2010-1-8 380928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-1 297752]
R2 FlipShare Service;FlipShare Service;c:\program files\flip video\flipshare\FlipShareService.exe [2009-11-19 455944]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-2-23 55152]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [2007-6-14 99248]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 getPlusHelper;getPlus® Installer;c:\windows\system32\svchost.exe -k getPlusHelper [2006-2-28 14336]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys --> c:\windows\system32\drivers\jl2005c.sys [?]
S3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [2008-2-13 618112]
=============== Created Last 30 ================
2010-05-02 20:04 15 a------- c:\documents and settings\erin\settings.dat
2010-05-02 18:55 28 a------- c:\windows\v2d.INI
2010-05-02 18:41 <DIR> --d----- C:\v2d
2010-05-02 18:41 <DIR> --d----- c:\program files\Total Video2Dvd
2010-05-02 18:16 <DIR> --d----- c:\docume~1\erin\applic~1\Search Settings
2010-05-02 18:16 <DIR> --d----- c:\docume~1\erin\applic~1\Dealio
2010-05-02 18:16 <DIR> --d----- c:\program files\Search Settings
2010-05-02 18:16 <DIR> --d----- c:\program files\Dealio Toolbar
2010-05-02 18:16 <DIR> --d----- c:\program files\Application Updater
2010-05-02 18:16 152,848 a------- c:\windows\system32\COMDLG32.OCX
2010-05-02 18:16 141,312 a------- c:\windows\system32\MSCMCFR.DLL
2010-05-02 18:16 119,568 a------- c:\windows\system32\VB6FR.DLL
2010-05-02 18:16 101,888 a------- c:\windows\system32\VB6STKIT.DLL
2010-05-02 18:16 32,768 a------- c:\windows\system32\CMDLGFR.DLL
2010-05-02 18:16 15,360 a------- c:\windows\system32\inetfr.DLL
2010-05-02 18:16 <DIR> --d----- c:\docume~1\erin\applic~1\FreeBurner
2010-05-02 15:25 <DIR> --d----- c:\program files\3ivx
2010-04-28 23:36 411,368 a------- c:\windows\system32\deployJava1.dll
2010-04-28 21:29 40,960 a------- c:\windows\system32\ssubtmr6.dll
2010-04-28 21:29 36,864 a------- c:\windows\system32\trayicon_handler.ocx
2010-04-21 16:54 <DIR> --d----- c:\docume~1\erin\applic~1\HandBrake
2010-04-21 16:54 <DIR> --d----- c:\program files\Handbrake
2010-04-21 16:32 <DIR> --d----- c:\windows\system32\windows media
2010-04-21 16:28 <DIR> --d----- c:\program files\common files\Protexis
2010-04-21 16:23 <DIR> --d----- c:\program files\common files\Corel
2010-04-21 16:22 <DIR> --d----- c:\program files\Windows Media Components
2010-04-21 16:22 <DIR> --d----- c:\program files\common files\Ulead Systems
2010-04-21 16:22 3,734,536 a------- c:\windows\system32\d3dx9_36.dll
2010-04-21 16:22 1,374,232 a------- c:\windows\system32\D3DCompiler_36.dll
2010-04-21 16:22 444,776 a------- c:\windows\system32\d3dx10_36.dll
2010-04-21 16:22 267,272 a------- c:\windows\system32\xactengine2_10.dll
2010-04-21 16:22 1,358,192 a------- c:\windows\system32\D3DCompiler_35.dll
2010-04-21 16:22 444,776 a------- c:\windows\system32\d3dx10_35.dll
2010-04-21 16:22 267,112 a------- c:\windows\system32\xactengine2_9.dll
2010-04-18 20:15 <DIR> --d----- c:\program files\Flip Video
2010-04-18 16:02 <DIR> --d----- c:\docume~1\erin\applic~1\ImTOO
2010-04-18 15:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2010-04-18 13:46 1,761,280 a------- c:\windows\system32\ffdshow.ax
2010-04-18 13:46 262,144 a------- c:\windows\system32\TomsMoComp_ff.dll
2010-04-18 13:46 2,255,360 a------- c:\windows\system32\libavcodec.dll
2010-04-18 13:46 395,776 a------- c:\windows\system32\libmplayer.dll
2010-04-18 13:46 172,032 a------- c:\windows\system32\ac3filter.ax
2010-04-18 13:46 112,640 a------- c:\windows\system32\libmpeg2_ff.dll
2010-04-18 13:10 1,208,320 a------- c:\windows\system32\cygxml2-2.dll
2010-04-18 13:10 1,153,417 a------- c:\windows\system32\cygwin1.dll
2010-04-18 13:10 980,992 a------- c:\windows\system32\cygiconv-2.dll
2010-04-18 13:10 139,264 a------- c:\windows\system32\Mpeg2Decoder.ax
2010-04-18 13:10 94,208 a------- c:\windows\system32\Mpeg2Parser.ax
2010-04-18 13:10 62,464 a------- c:\windows\system32\cygz.dll
2010-04-18 13:10 <DIR> --d----- c:\program files\Cucusoft
2010-04-18 12:54 <DIR> --d----- c:\docume~1\erin\applic~1\AnvSoft
2010-04-13 17:51 <DIR> --d----- c:\docume~1\erin\applic~1\Windows Search
2010-04-09 16:48 3,600,384 a------- c:\windows\system32\GPhotos.scr
==================== Find3M ====================
2010-05-03 08:29 5,018 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-05-03 08:29 248 ---shr-- c:\docume~1\alluse~1\applic~1\E27CF4E0CB.sys
2010-03-10 02:15 420,352 a------- c:\windows\system32\vbscript.dll
2010-03-08 08:41 15,688 a------- c:\windows\system32\lsdelete.exe
2010-02-25 02:24 916,480 a------- c:\windows\system32\wininet.dll
2010-02-16 10:08 2,146,304 a------- c:\windows\system32\ntoskrnl.exe
2010-02-16 09:25 2,024,448 a------- c:\windows\system32\ntkrnlpa.exe
2010-02-12 00:33 100,864 a------- c:\windows\system32\6to4svc.dll
2009-09-07 20:58 13,643 a------- c:\program files\common files\yhiqi.ban
2008-09-15 16:46 88 ---shr-- c:\windows\system32\E27CF4E0CB.sys
2008-09-15 16:46 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
============= FINISH: 15:05:54.10 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-06-26.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/15/2007 7:49:32 AM
System Uptime: 5/3/2010 2:49:08 PM (1 hours ago)
Motherboard: ASUSTeK Computer INC. | | P5N-E SLI
Processor: Intel® Core™2 Duo CPU E6750 @ 2.66GHz | Socket 775 | 2666/333mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 160.527 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1: 5/3/2010 2:56:38 PM - System Checkpoint
==== Installed Programs ======================
3DVIA player 5.0
3ivx MPEG-4 5.0.3 (remove only)
ABBYY FineReader 6.0 Sprint
AC3Filter (remove only)
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player 11
American Greetings CreataCard Select 6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG Free 8.5
Basic Webcam
Bonjour
Choice Guard
Contents
Corel PaintShop Photo Pro X3
Critical Update for Windows Media Player 11 (KB959772)
Dealio Toolbar v4.0.2
Default
DeviceIO
Dora the Explorer La Casa de Dora
Driver Detective
DVD-CLONER V7.10 Build 992
ERUNT 1.1j
Facebook Plug-In
FlipShare
getPlus® Download Manager for Corel
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP My Display
ICA
ImageDrive (Ahead Software)
IPM_PSP_Pro
iTunes
Java Auto Updater
Java™ 6 Update 20
Java™ 6 Update 7
JMB36X Raid Configurer
Junk Mail filter update
Lexmark 5300 Series
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Web Publishing Wizard 1.52
MLE
MSN
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Nations Photo Lab ROES
neroxml
Netflix Movie Viewer
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
Orb Runtime libraries
Photo Viewer V2.4
Picasa 3
PSPH10Pro
PSPPContent
PSPPRO_DCRAW
PureHD
QuickTime
Realtek High Definition Audio Driver
SDK
Search Settings v1.2.3
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Segoe UI
Setup
Share
Skype™ 4.0
Spybot - Search & Destroy
The Digital Arts and Crafts Studio
U.B. Funkeys
Uninstall 1.0.0.1
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Windows (KB971513)
Update for Outlook 2007 Junk Email Filter (kb981433)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIO
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WebIQ Technology Engine
WinAce Archiver
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Writer
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 9 Series TweakMP PowerToy
Windows Movie Maker 2.0
Windows Presentation Foundation
Windows Search 4.0
Windows XP Service Pack 3
Winkflash Transporter
XML Paper Specification Shared Components Pack 1.0
==== Event Viewer Messages From Past Week ========
5/3/2010 9:40:40 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
5/3/2010 9:07:57 AM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 001D60BA3376 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
5/2/2010 8:25:05 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
5/2/2010 8:01:50 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
==== End Of File ===========================
THANK YOU
#9
JonTom
-
- Malware Team
-
- 5,496 posts
Teacher Emeritus
Posted 03 May 2010 - 06:10 PM
Hello ephillips
Thank you for the logs.
Please work your way through the following steps. If you encounter any difficulties, come back and let me know.
Link 1
Link 2
Thank you for the logs.
Please work your way through the following steps. If you encounter any difficulties, come back and let me know.
- Download Combofix and RE-NAME it BEFORE saving
- Download Combofix from either of the links below. You must rename it to ephillips.exe before saving it.
- Save it to your desktop. Change the "save as file type" to "all files".
- Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
- If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
Link 1
Link 2
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.
- Double click on the renamed ComboFix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt so we can continue cleaning the system.
Would you like to help others? Join the Classroom and learn how.
Member of UNITE
Proud Graduate of the WTT Classroom
Member of UNITE
Proud Graduate of the WTT Classroom
#10
ephillips
-
- Authentic Member
-
- 39 posts
Authentic Member
Posted 04 May 2010 - 08:16 PM
ComboFix 10-05-04.03 - Erin 05/04/2010 21:18:01.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1299 [GMT -4:00]
Running from: c:\documents and settings\Erin\Desktop\ephillips.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Dealio Toolbar
c:\program files\Dealio Toolbar\IE\4.0.2\config.ini
c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll
c:\program files\Dealio Toolbar\Res\amazon.gif
c:\program files\Dealio Toolbar\Res\apple.gif
c:\program files\Dealio Toolbar\Res\barnes.gif
c:\program files\Dealio Toolbar\Res\bestbuy.gif
c:\program files\Dealio Toolbar\Res\dealio_logo.gif
c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\Res\ebay.gif
c:\program files\Dealio Toolbar\Res\icon_settings.gif
c:\program files\Dealio Toolbar\Res\macys.gif
c:\program files\Dealio Toolbar\Res\newegg.gif
c:\program files\Dealio Toolbar\Res\overstock.gif
c:\program files\Dealio Toolbar\Res\search-button-hover.gif
c:\program files\Dealio Toolbar\Res\search-button.gif
c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files\Dealio Toolbar\Res\search-chevron.gif
c:\program files\Dealio Toolbar\Res\search_amazon.gif
c:\program files\Dealio Toolbar\Res\search_dealio.gif
c:\program files\Dealio Toolbar\Res\search_ebay.gif
c:\program files\Dealio Toolbar\Res\search_yahoo.gif
c:\program files\Dealio Toolbar\Res\target.gif
c:\program files\Dealio Toolbar\Res\walmart.gif
c:\program files\Dealio Toolbar\Res\widgets.xml
c:\program files\Dealio Toolbar\WidgiHelper.exe
c:\program files\Search Settings
c:\program files\Search Settings\SeARchsettings.dll
c:\program files\Search Settings\SearchSettings.exe
c:\program files\Search Settings\SearchSettingsRes409.dll
c:\windows\system32\hedafatu.dll
c:\windows\Tasks.\aurwolai.job
c:\windows\Tasks.\aurwolai.job . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.
2010-05-05 01:48 . 2010-05-05 01:48 -------- d-----w- c:\windows\system32\Lang
2010-05-03 00:04 . 2010-05-03 00:04 15 ----a-w- c:\documents and settings\Erin\settings.dat
2010-05-02 22:41 . 2010-05-02 22:55 -------- d-----w- C:\v2d
2010-05-02 22:41 . 2010-05-02 22:58 -------- d-----w- c:\program files\Total Video2Dvd
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\documents and settings\Erin\Application Data\Search Settings
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\documents and settings\Erin\Application Data\Dealio
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\program files\Application Updater
2010-05-02 22:16 . 2000-10-01 21:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2010-05-02 22:16 . 1999-03-25 21:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-05-02 22:16 . 1998-07-13 01:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2010-05-02 22:16 . 1998-07-13 01:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2010-05-02 22:16 . 1998-07-12 21:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\documents and settings\Erin\Application Data\FreeBurner
2010-05-02 19:25 . 2010-05-02 19:25 -------- d-----w- c:\program files\3ivx
2010-04-29 13:26 . 2010-04-29 13:27 -------- d-----w- c:\program files\ERUNT
2010-04-29 03:36 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 01:29 . 2003-01-26 17:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2010-04-21 20:54 . 2010-04-21 20:54 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\HandBrake
2010-04-21 20:54 . 2010-04-21 20:54 -------- d-----w- c:\documents and settings\Erin\Application Data\HandBrake
2010-04-21 20:54 . 2010-04-29 03:46 -------- d-----w- c:\program files\Handbrake
2010-04-21 20:32 . 2010-04-21 20:32 -------- d-----w- c:\windows\system32\windows media
2010-04-21 20:28 . 2010-04-21 20:28 -------- d-----w- c:\program files\Common Files\Protexis
2010-04-21 20:26 . 2010-04-21 20:56 -------- d-----w- c:\documents and settings\Erin\Application Data\Corel
2010-04-21 20:23 . 2010-04-21 20:27 -------- d-----w- c:\program files\Common Files\Corel
2010-04-21 20:22 . 2010-04-21 20:22 -------- d-----w- c:\program files\Windows Media Components
2010-04-21 20:22 . 2010-04-21 20:22 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-04-21 20:22 . 2007-10-22 07:39 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2010-04-21 20:22 . 2007-10-12 19:14 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2010-04-21 20:22 . 2007-10-12 19:14 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2010-04-21 20:22 . 2007-10-02 13:56 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2010-04-21 20:22 . 2007-07-20 04:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2010-04-21 20:22 . 2007-07-19 22:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2010-04-21 20:22 . 2007-07-19 22:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll
2010-04-21 17:14 . 2010-04-21 20:33 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\NOS
2010-04-19 00:15 . 2010-04-19 00:15 -------- d-----w- c:\program files\Flip Video
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\ImTOO
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\documents and settings\Erin\Application Data\ImTOO
2010-04-18 19:31 . 2010-04-18 19:32 -------- d-----w- c:\documents and settings\Erin\Application Data\Nero
2010-04-18 19:30 . 2010-04-18 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-04-18 17:46 . 2004-10-12 18:42 262144 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2010-04-18 17:46 . 2004-10-12 18:40 2255360 ----a-w- c:\windows\system32\libavcodec.dll
2010-04-18 17:46 . 2004-10-05 20:16 395776 ----a-w- c:\windows\system32\libmplayer.dll
2010-04-18 17:46 . 2004-10-04 05:50 112640 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2010-04-18 17:10 . 2010-04-18 17:46 -------- d-----w- c:\program files\Cucusoft
2010-04-18 17:10 . 2004-05-26 14:07 1153417 ----a-w- c:\windows\system32\cygwin1.dll
2010-04-18 17:10 . 2004-05-13 22:39 1208320 ----a-w- c:\windows\system32\cygxml2-2.dll
2010-04-18 17:10 . 2003-12-04 15:03 62464 ----a-w- c:\windows\system32\cygz.dll
2010-04-18 17:10 . 2003-08-11 08:59 980992 ----a-w- c:\windows\system32\cygiconv-2.dll
2010-04-18 16:54 . 2010-04-18 16:54 -------- d-----w- c:\documents and settings\Erin\Application Data\AnvSoft
2010-04-15 07:00 . 2010-04-15 07:00 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-04-14 11:40 . 2010-04-14 11:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-13 21:51 . 2010-04-13 21:51 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Search
2010-04-09 20:48 . 2010-04-09 20:48 3600384 ----a-w- c:\windows\system32\GPhotos.scr
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 12:35 . 2007-12-15 15:34 -------- d-----w- c:\program files\Google
2010-05-03 12:29 . 2008-09-24 20:28 5018 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-03 12:29 . 2008-09-24 20:28 248 --sh--r- c:\documents and settings\All Users\Application Data\E27CF4E0CB.sys
2010-05-03 00:22 . 2010-01-27 21:33 -------- d-----w- c:\program files\LimeWire
2010-05-03 00:00 . 2007-12-15 15:47 -------- d-----w- c:\program files\WinAce
2010-05-02 22:51 . 2007-12-15 13:09 105752 ----a-w- c:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 17:52 . 2008-04-14 15:23 -------- d-----w- c:\program files\Infogrames Interactive
2010-05-02 17:52 . 2007-12-15 13:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 15:37 . 2009-10-15 21:04 -------- d-----w- c:\program files\Orb Networks
2010-04-30 19:50 . 2008-09-16 19:48 -------- d-----w- c:\program files\SpywareGuard
2010-04-29 11:32 . 2009-01-16 20:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 04:01 . 2009-03-25 11:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2010-04-29 03:46 . 2007-12-25 14:23 -------- d-----w- c:\program files\Kids Cam Show and Share Creativity Center
2010-04-29 03:36 . 2008-01-01 21:19 -------- d-----w- c:\program files\Java
2010-04-21 23:56 . 2008-07-02 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-04-21 20:32 . 2008-08-13 19:21 -------- d-----w- c:\documents and settings\Erin\Application Data\Ulead Systems
2010-04-21 20:31 . 2008-08-13 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-04-21 20:31 . 2008-10-26 23:05 -------- d-----w- c:\program files\Corel
2010-04-21 20:30 . 2008-08-15 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-04-21 17:31 . 2009-07-26 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-21 17:14 . 2009-07-26 14:55 -------- d-----w- c:\program files\NOS
2010-04-15 07:04 . 2007-12-16 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-07 17:17 . 2008-09-15 12:22 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 12:45 . 2010-03-30 04:24 -------- d-----w- c:\program files\Windows Desktop Search
2010-03-30 04:32 . 2010-03-30 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-03-30 04:32 . 2010-03-30 04:32 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-30 04:24 . 2010-03-30 04:24 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Desktop Search
2010-03-30 03:57 . 2008-03-08 16:09 -------- d-----w- c:\program files\Dvd-cloner
2010-03-25 04:32 . 2008-03-05 10:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ThumbnailCache4R
2010-03-24 14:49 . 2010-02-11 02:20 -------- d-----w- c:\documents and settings\Erin\Application Data\Facebook
2010-03-18 20:33 . 2010-03-18 20:33 7750617 ----a-w- c:\documents and settings\All Users\SPL55.tmp
2010-03-11 21:39 . 2010-03-11 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 02:32 . 2010-03-09 02:32 -------- d-----w- c:\documents and settings\Erin\Application Data\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2010-03-09 02:32 . 2010-03-09 02:32 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-09 02:30 . 2010-03-08 19:41 -------- d-----w- c:\program files\MyPublisher
2010-03-08 19:29 . 2008-10-09 03:19 -------- d-----w- c:\program files\BookSmart
2010-03-08 12:41 . 2009-09-08 01:27 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-02-28 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-09-08 00:58 . 2009-09-08 00:58 13643 ----a-w- c:\program files\Common Files\yhiqi.ban
2008-09-15 20:46 . 2008-08-15 12:15 88 --sh--r- c:\windows\system32\E27CF4E0CB.sys
2008-09-15 20:46 . 2008-08-15 12:11 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2010-04-14 524944]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-04-14 105632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-22 455344]
"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]
"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" [2007-06-22 307888]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2008-03-13 128256]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-08 524632]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-21 113664]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 12:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdkcoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkwbgw.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\frun.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/25/2009 7:40 AM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/2/2008 12:44 PM 335240]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/8/2010 12:51 AM 380928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 5:16 PM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [6/14/2007 4:15 AM 99248]
S3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [2/13/2008 2:17 PM 618112]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-05-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {6BF35011-3AE5-44D3-A8BB-73ED462A0BC0} - hxxp://ezprints.mye-pix.com/software/ezuploader.cab
DPF: {B87A4DE2-57A3-41CA-8781-89D43EA6EEF4} - hxxp://videomessages.live.com/Portal/ClientBin/VCaptCtl.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
DPF: {D53A9247-2FEA-4E93-8EEE-9A9B07E8D760} - hxxp://www.ezprints.com/software/cropfit.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.
- - - - ORPHANS REMOVED - - - -
BHO-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll
Toolbar-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-fadagohar - c:\windows\system32\kabifoti.dll
HKLM-Run-Corel File Shell Monitor - c:\program files\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
SharedTaskScheduler-{592b04eb-0fcc-44a0-847b-5a47513fd919} - c:\windows\system32\hedafatu.dll
SharedTaskScheduler-{c9cac425-2a87-4d7b-a4b8-66798831dd86} - c:\windows\system32\hedafatu.dll
SharedTaskScheduler-{610a94d8-9e65-4e3d-8412-ac72ea780a1e} - c:\windows\system32\hedafatu.dll
SharedTaskScheduler-{92ade6b1-c695-4db2-b6b2-caaa3e2237e1} - c:\windows\system32\hedafatu.dll
SharedTaskScheduler-{63431ed0-8fe0-4fd2-8913-5d13302864de} - c:\windows\system32\kabifoti.dll
SSODL-hugamunom-{592b04eb-0fcc-44a0-847b-5a47513fd919} - c:\windows\system32\hedafatu.dll
SSODL-gobavivoj-{c9cac425-2a87-4d7b-a4b8-66798831dd86} - c:\windows\system32\hedafatu.dll
SSODL-merojozus-{610a94d8-9e65-4e3d-8412-ac72ea780a1e} - c:\windows\system32\hedafatu.dll
SSODL-muwarakos-{92ade6b1-c695-4db2-b6b2-caaa3e2237e1} - c:\windows\system32\hedafatu.dll
SSODL-zamezakif-{63431ed0-8fe0-4fd2-8913-5d13302864de} - c:\windows\system32\kabifoti.dll
AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Ahead\nero\uninstall\UNNERO.exe
AddRemove-NeroVision!UninstallKey - c:\windows\UNNeroVision.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-Uninstall_is1 - c:\program files\Common Files\DVDVideoSoft\unins000.exe
AddRemove-WinAce Archiver - c:\program files\WinAce\SXUNINST.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 21:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1409082233-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1492)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdkcoms.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\Microsoft Office\Office12\ONENOTEM.EXE
.
**************************************************************************
.
Completion time: 2010-05-04 22:02:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-05 02:02
ComboFix2.txt 2009-01-31 15:21
ComboFix3.txt 2009-01-16 19:45
ComboFix4.txt 2009-01-16 18:07
ComboFix5.txt 2010-05-05 01:17
Pre-Run: 172,081,438,720 bytes free
Post-Run: 173,642,485,760 bytes free
- - End Of File - - B29A6EEC321CF5AD9658855E0BB2EF68
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1299 [GMT -4:00]
Running from: c:\documents and settings\Erin\Desktop\ephillips.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Dealio Toolbar
c:\program files\Dealio Toolbar\IE\4.0.2\config.ini
c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll
c:\program files\Dealio Toolbar\Res\amazon.gif
c:\program files\Dealio Toolbar\Res\apple.gif
c:\program files\Dealio Toolbar\Res\barnes.gif
c:\program files\Dealio Toolbar\Res\bestbuy.gif
c:\program files\Dealio Toolbar\Res\dealio_logo.gif
c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\Res\ebay.gif
c:\program files\Dealio Toolbar\Res\icon_settings.gif
c:\program files\Dealio Toolbar\Res\macys.gif
c:\program files\Dealio Toolbar\Res\newegg.gif
c:\program files\Dealio Toolbar\Res\overstock.gif
c:\program files\Dealio Toolbar\Res\search-button-hover.gif
c:\program files\Dealio Toolbar\Res\search-button.gif
c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files\Dealio Toolbar\Res\search-chevron.gif
c:\program files\Dealio Toolbar\Res\search_amazon.gif
c:\program files\Dealio Toolbar\Res\search_dealio.gif
c:\program files\Dealio Toolbar\Res\search_ebay.gif
c:\program files\Dealio Toolbar\Res\search_yahoo.gif
c:\program files\Dealio Toolbar\Res\target.gif
c:\program files\Dealio Toolbar\Res\walmart.gif
c:\program files\Dealio Toolbar\Res\widgets.xml
c:\program files\Dealio Toolbar\WidgiHelper.exe
c:\program files\Search Settings
c:\program files\Search Settings\SeARchsettings.dll
c:\program files\Search Settings\SearchSettings.exe
c:\program files\Search Settings\SearchSettingsRes409.dll
c:\windows\system32\hedafatu.dll
c:\windows\Tasks.\aurwolai.job
c:\windows\Tasks.\aurwolai.job . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.
2010-05-05 01:48 . 2010-05-05 01:48 -------- d-----w- c:\windows\system32\Lang
2010-05-03 00:04 . 2010-05-03 00:04 15 ----a-w- c:\documents and settings\Erin\settings.dat
2010-05-02 22:41 . 2010-05-02 22:55 -------- d-----w- C:\v2d
2010-05-02 22:41 . 2010-05-02 22:58 -------- d-----w- c:\program files\Total Video2Dvd
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\documents and settings\Erin\Application Data\Search Settings
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\documents and settings\Erin\Application Data\Dealio
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\program files\Application Updater
2010-05-02 22:16 . 2000-10-01 21:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2010-05-02 22:16 . 1999-03-25 21:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-05-02 22:16 . 1998-07-13 01:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2010-05-02 22:16 . 1998-07-13 01:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2010-05-02 22:16 . 1998-07-12 21:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\documents and settings\Erin\Application Data\FreeBurner
2010-05-02 19:25 . 2010-05-02 19:25 -------- d-----w- c:\program files\3ivx
2010-04-29 13:26 . 2010-04-29 13:27 -------- d-----w- c:\program files\ERUNT
2010-04-29 03:36 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 01:29 . 2003-01-26 17:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2010-04-21 20:54 . 2010-04-21 20:54 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\HandBrake
2010-04-21 20:54 . 2010-04-21 20:54 -------- d-----w- c:\documents and settings\Erin\Application Data\HandBrake
2010-04-21 20:54 . 2010-04-29 03:46 -------- d-----w- c:\program files\Handbrake
2010-04-21 20:32 . 2010-04-21 20:32 -------- d-----w- c:\windows\system32\windows media
2010-04-21 20:28 . 2010-04-21 20:28 -------- d-----w- c:\program files\Common Files\Protexis
2010-04-21 20:26 . 2010-04-21 20:56 -------- d-----w- c:\documents and settings\Erin\Application Data\Corel
2010-04-21 20:23 . 2010-04-21 20:27 -------- d-----w- c:\program files\Common Files\Corel
2010-04-21 20:22 . 2010-04-21 20:22 -------- d-----w- c:\program files\Windows Media Components
2010-04-21 20:22 . 2010-04-21 20:22 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-04-21 20:22 . 2007-10-22 07:39 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2010-04-21 20:22 . 2007-10-12 19:14 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2010-04-21 20:22 . 2007-10-12 19:14 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2010-04-21 20:22 . 2007-10-02 13:56 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2010-04-21 20:22 . 2007-07-20 04:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2010-04-21 20:22 . 2007-07-19 22:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2010-04-21 20:22 . 2007-07-19 22:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll
2010-04-21 17:14 . 2010-04-21 20:33 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\NOS
2010-04-19 00:15 . 2010-04-19 00:15 -------- d-----w- c:\program files\Flip Video
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\ImTOO
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\documents and settings\Erin\Application Data\ImTOO
2010-04-18 19:31 . 2010-04-18 19:32 -------- d-----w- c:\documents and settings\Erin\Application Data\Nero
2010-04-18 19:30 . 2010-04-18 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-04-18 17:46 . 2004-10-12 18:42 262144 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2010-04-18 17:46 . 2004-10-12 18:40 2255360 ----a-w- c:\windows\system32\libavcodec.dll
2010-04-18 17:46 . 2004-10-05 20:16 395776 ----a-w- c:\windows\system32\libmplayer.dll
2010-04-18 17:46 . 2004-10-04 05:50 112640 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2010-04-18 17:10 . 2010-04-18 17:46 -------- d-----w- c:\program files\Cucusoft
2010-04-18 17:10 . 2004-05-26 14:07 1153417 ----a-w- c:\windows\system32\cygwin1.dll
2010-04-18 17:10 . 2004-05-13 22:39 1208320 ----a-w- c:\windows\system32\cygxml2-2.dll
2010-04-18 17:10 . 2003-12-04 15:03 62464 ----a-w- c:\windows\system32\cygz.dll
2010-04-18 17:10 . 2003-08-11 08:59 980992 ----a-w- c:\windows\system32\cygiconv-2.dll
2010-04-18 16:54 . 2010-04-18 16:54 -------- d-----w- c:\documents and settings\Erin\Application Data\AnvSoft
2010-04-15 07:00 . 2010-04-15 07:00 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-04-14 11:40 . 2010-04-14 11:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-13 21:51 . 2010-04-13 21:51 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Search
2010-04-09 20:48 . 2010-04-09 20:48 3600384 ----a-w- c:\windows\system32\GPhotos.scr
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 12:35 . 2007-12-15 15:34 -------- d-----w- c:\program files\Google
2010-05-03 12:29 . 2008-09-24 20:28 5018 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-03 12:29 . 2008-09-24 20:28 248 --sh--r- c:\documents and settings\All Users\Application Data\E27CF4E0CB.sys
2010-05-03 00:22 . 2010-01-27 21:33 -------- d-----w- c:\program files\LimeWire
2010-05-03 00:00 . 2007-12-15 15:47 -------- d-----w- c:\program files\WinAce
2010-05-02 22:51 . 2007-12-15 13:09 105752 ----a-w- c:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 17:52 . 2008-04-14 15:23 -------- d-----w- c:\program files\Infogrames Interactive
2010-05-02 17:52 . 2007-12-15 13:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 15:37 . 2009-10-15 21:04 -------- d-----w- c:\program files\Orb Networks
2010-04-30 19:50 . 2008-09-16 19:48 -------- d-----w- c:\program files\SpywareGuard
2010-04-29 11:32 . 2009-01-16 20:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 04:01 . 2009-03-25 11:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2010-04-29 03:46 . 2007-12-25 14:23 -------- d-----w- c:\program files\Kids Cam Show and Share Creativity Center
2010-04-29 03:36 . 2008-01-01 21:19 -------- d-----w- c:\program files\Java
2010-04-21 23:56 . 2008-07-02 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-04-21 20:32 . 2008-08-13 19:21 -------- d-----w- c:\documents and settings\Erin\Application Data\Ulead Systems
2010-04-21 20:31 . 2008-08-13 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-04-21 20:31 . 2008-10-26 23:05 -------- d-----w- c:\program files\Corel
2010-04-21 20:30 . 2008-08-15 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-04-21 17:31 . 2009-07-26 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-21 17:14 . 2009-07-26 14:55 -------- d-----w- c:\program files\NOS
2010-04-15 07:04 . 2007-12-16 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-07 17:17 . 2008-09-15 12:22 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 12:45 . 2010-03-30 04:24 -------- d-----w- c:\program files\Windows Desktop Search
2010-03-30 04:32 . 2010-03-30 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-03-30 04:32 . 2010-03-30 04:32 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-30 04:24 . 2010-03-30 04:24 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Desktop Search
2010-03-30 03:57 . 2008-03-08 16:09 -------- d-----w- c:\program files\Dvd-cloner
2010-03-25 04:32 . 2008-03-05 10:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ThumbnailCache4R
2010-03-24 14:49 . 2010-02-11 02:20 -------- d-----w- c:\documents and settings\Erin\Application Data\Facebook
2010-03-18 20:33 . 2010-03-18 20:33 7750617 ----a-w- c:\documents and settings\All Users\SPL55.tmp
2010-03-11 21:39 . 2010-03-11 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 02:32 . 2010-03-09 02:32 -------- d-----w- c:\documents and settings\Erin\Application Data\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2010-03-09 02:32 . 2010-03-09 02:32 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-09 02:30 . 2010-03-08 19:41 -------- d-----w- c:\program files\MyPublisher
2010-03-08 19:29 . 2008-10-09 03:19 -------- d-----w- c:\program files\BookSmart
2010-03-08 12:41 . 2009-09-08 01:27 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-02-28 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-09-08 00:58 . 2009-09-08 00:58 13643 ----a-w- c:\program files\Common Files\yhiqi.ban
2008-09-15 20:46 . 2008-08-15 12:15 88 --sh--r- c:\windows\system32\E27CF4E0CB.sys
2008-09-15 20:46 . 2008-08-15 12:11 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2010-04-14 524944]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-04-14 105632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-22 455344]
"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]
"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" [2007-06-22 307888]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2008-03-13 128256]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-08 524632]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-21 113664]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 12:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdkcoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkwbgw.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\frun.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/25/2009 7:40 AM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/2/2008 12:44 PM 335240]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/8/2010 12:51 AM 380928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 5:16 PM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [6/14/2007 4:15 AM 99248]
S3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [2/13/2008 2:17 PM 618112]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-05-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {6BF35011-3AE5-44D3-A8BB-73ED462A0BC0} - hxxp://ezprints.mye-pix.com/software/ezuploader.cab
DPF: {B87A4DE2-57A3-41CA-8781-89D43EA6EEF4} - hxxp://videomessages.live.com/Portal/ClientBin/VCaptCtl.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
DPF: {D53A9247-2FEA-4E93-8EEE-9A9B07E8D760} - hxxp://www.ezprints.com/software/cropfit.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.
- - - - ORPHANS REMOVED - - - -
BHO-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll
Toolbar-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-fadagohar - c:\windows\system32\kabifoti.dll
HKLM-Run-Corel File Shell Monitor - c:\program files\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
SharedTaskScheduler-{592b04eb-0fcc-44a0-847b-5a47513fd919} - c:\windows\system32\hedafatu.dll
SharedTaskScheduler-{c9cac425-2a87-4d7b-a4b8-66798831dd86} - c:\windows\system32\hedafatu.dll
SharedTaskScheduler-{610a94d8-9e65-4e3d-8412-ac72ea780a1e} - c:\windows\system32\hedafatu.dll
SharedTaskScheduler-{92ade6b1-c695-4db2-b6b2-caaa3e2237e1} - c:\windows\system32\hedafatu.dll
SharedTaskScheduler-{63431ed0-8fe0-4fd2-8913-5d13302864de} - c:\windows\system32\kabifoti.dll
SSODL-hugamunom-{592b04eb-0fcc-44a0-847b-5a47513fd919} - c:\windows\system32\hedafatu.dll
SSODL-gobavivoj-{c9cac425-2a87-4d7b-a4b8-66798831dd86} - c:\windows\system32\hedafatu.dll
SSODL-merojozus-{610a94d8-9e65-4e3d-8412-ac72ea780a1e} - c:\windows\system32\hedafatu.dll
SSODL-muwarakos-{92ade6b1-c695-4db2-b6b2-caaa3e2237e1} - c:\windows\system32\hedafatu.dll
SSODL-zamezakif-{63431ed0-8fe0-4fd2-8913-5d13302864de} - c:\windows\system32\kabifoti.dll
AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Ahead\nero\uninstall\UNNERO.exe
AddRemove-NeroVision!UninstallKey - c:\windows\UNNeroVision.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-Uninstall_is1 - c:\program files\Common Files\DVDVideoSoft\unins000.exe
AddRemove-WinAce Archiver - c:\program files\WinAce\SXUNINST.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 21:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1409082233-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1492)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdkcoms.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\Microsoft Office\Office12\ONENOTEM.EXE
.
**************************************************************************
.
Completion time: 2010-05-04 22:02:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-05 02:02
ComboFix2.txt 2009-01-31 15:21
ComboFix3.txt 2009-01-16 19:45
ComboFix4.txt 2009-01-16 18:07
ComboFix5.txt 2010-05-05 01:17
Pre-Run: 172,081,438,720 bytes free
Post-Run: 173,642,485,760 bytes free
- - End Of File - - B29A6EEC321CF5AD9658855E0BB2EF68
Register to Remove
#11
JonTom
-
- Malware Team
-
- 5,496 posts
Teacher Emeritus
Posted 05 May 2010 - 05:18 PM
Hello ephillips
Thank you for the log. Before we continue, I would like to take a closer look at some files on your machine.
Please work your way through the following steps:
Thank you for the log. Before we continue, I would like to take a closer look at some files on your machine.
Please work your way through the following steps:
- Please run the following Command
- Click on "Start" and then on "Run".
- Copy and Paste the following command into the Run box:
cmd /c del /f/a/q "c:\windows\Tasks.\aurwolai.job"
- Click on "OK".
- Please make all files and folders VISIBLE:
- Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
- Choose to "Show hidden files and folders."
- Uncheck the "Hide protected operating system files" and the "Hide extensions for know file types" boxes.
- Close the window with "OK".
- Please scan the following files
- Please visit Virus Total by clicking here.
- Click the Browse button and search for the following file: c:\program files\Common Files\yhiqi.ban
- Click Open.
- Then click Send File.
- Please be patient while the file is scanned.
- If Virus Total tells you that the file has already been scanned, click "reanalyse now".
- Once the scan results appear, copy and paste them into Notepad and repeat the procedure for the following file(s):
c:\documents and settings\All Users\SPL55.tmp
- Please provide the results from the scans in your next reply.
Would you like to help others? Join the Classroom and learn how.
Member of UNITE
Proud Graduate of the WTT Classroom
Member of UNITE
Proud Graduate of the WTT Classroom
#12
ephillips
-
- Authentic Member
-
- 39 posts
Authentic Member
Posted 05 May 2010 - 07:30 PM
File yhiqi.ban received on 2010.05.06 01:25:06 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.06 -
AhnLab-V3 2010.05.05.00 2010.05.05 -
AntiVir 8.2.1.236 2010.05.05 -
Antiy-AVL 2.0.3.7 2010.05.05 -
Authentium 5.2.0.5 2010.05.06 -
Avast 4.8.1351.0 2010.05.05 -
Avast5 5.0.332.0 2010.05.05 -
AVG 9.0.0.787 2010.05.05 -
BitDefender 7.2 2010.05.06 -
CAT-QuickHeal 10.00 2010.05.04 -
ClamAV 0.96.0.3-git 2010.05.05 -
Comodo 4775 2010.05.06 -
DrWeb 5.0.2.03300 2010.05.06 -
eSafe 7.0.17.0 2010.05.05 -
eTrust-Vet 35.2.7470 2010.05.05 -
F-Prot 4.5.1.85 2010.05.05 -
F-Secure 9.0.15370.0 2010.05.06 -
Fortinet 4.0.14.0 2010.05.05 -
GData 21 2010.05.06 -
Ikarus T3.1.1.84.0 2010.05.06 -
Jiangmin 13.0.900 2010.05.05 -
Kaspersky 7.0.0.125 2010.05.06 -
McAfee 5.400.0.1158 2010.05.06 -
McAfee-GW-Edition 2010.1 2010.05.05 -
Microsoft 1.5703 2010.05.05 -
NOD32 5089 2010.05.05 -
Norman 6.04.12 2010.05.05 -
nProtect 2010-05-05.01 2010.05.05 -
Panda 10.0.2.7 2010.05.05 -
PCTools 7.0.3.5 2010.05.05 -
Prevx 3.0 2010.05.06 -
Rising 22.46.02.03 2010.05.05 -
Sophos 4.53.0 2010.05.06 -
Sunbelt 6265 2010.05.06 -
Symantec 20091.2.0.41 2010.05.05 -
TheHacker 6.5.2.0.275 2010.05.03 -
TrendMicro 9.120.0.1004 2010.05.05 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.06 -
VBA32 3.12.12.4 2010.05.05 -
ViRobot 2010.5.4.2303 2010.05.05 -
VirusBuster 5.0.27.0 2010.05.05 -
Additional information
File size: 13643 bytes
MD5...: 66b636a4e913d20efbb6366ab8b4aa17
SHA1..: 2dd5d4e045cfc877abc231724b16e633a5ff6bb0
SHA256: 24ca68d22cc54c11d9e4d4f5b219f0617e81ae0ff93515e34e15ba937d55389b
ssdeep: 384:1ReVN3oX97kUTCsbmF20AaZcA8UDZJGHyXNOa:1R8JoXGVSyZBNJiyXNOa
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
trid..: MPEG Video (100.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
pdfid.: -
File SPL55.tmp received on 2010.05.06 01:28:28 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.06 -
AhnLab-V3 2010.05.05.00 2010.05.05 -
AntiVir 8.2.1.236 2010.05.05 -
Antiy-AVL 2.0.3.7 2010.05.05 -
Authentium 5.2.0.5 2010.05.06 -
Avast 4.8.1351.0 2010.05.05 -
Avast5 5.0.332.0 2010.05.05 -
AVG 9.0.0.787 2010.05.05 -
BitDefender 7.2 2010.05.06 -
CAT-QuickHeal 10.00 2010.05.04 -
ClamAV 0.96.0.3-git 2010.05.05 -
Comodo 4775 2010.05.06 -
DrWeb 5.0.2.03300 2010.05.06 -
eSafe 7.0.17.0 2010.05.05 -
eTrust-Vet 35.2.7470 2010.05.05 -
F-Prot 4.5.1.85 2010.05.05 -
F-Secure 9.0.15370.0 2010.05.06 -
Fortinet 4.0.14.0 2010.05.05 -
GData 21 2010.05.06 -
Ikarus T3.1.1.84.0 2010.05.06 -
Jiangmin 13.0.900 2010.05.05 -
Kaspersky 7.0.0.125 2010.05.06 -
McAfee 5.400.0.1158 2010.05.06 -
McAfee-GW-Edition 2010.1 2010.05.05 -
Microsoft 1.5703 2010.05.05 -
NOD32 5089 2010.05.05 -
Norman 6.04.12 2010.05.05 -
nProtect 2010-05-05.01 2010.05.05 -
Panda 10.0.2.7 2010.05.05 -
PCTools 7.0.3.5 2010.05.05 -
Prevx 3.0 2010.05.06 -
Rising 22.46.02.03 2010.05.05 -
Sophos 4.53.0 2010.05.06 -
Sunbelt 6265 2010.05.06 -
Symantec 20091.2.0.41 2010.05.05 -
TheHacker 6.5.2.0.275 2010.05.03 -
TrendMicro 9.120.0.1004 2010.05.05 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.06 -
VBA32 3.12.12.4 2010.05.05 -
ViRobot 2010.5.4.2303 2010.05.05 -
VirusBuster 5.0.27.0 2010.05.05 -
Additional information
File size: 7750617 bytes
MD5...: d20a6b8786b714f420cf0cca9f7c0ac5
SHA1..: d2e9388c7a7c879d89a69d11eded22d321ef842d
SHA256: 9c243c402521c1b504f6c888fb83f95d11e716aadfa82cd9fe8bf47f4f2d6c53
ssdeep: 49152:2xApdDkFcnwaR2NzTHQQQpTgHmSDEfsVk0000000zawB:0ApdDkyw5ZQQC
gH9k0000000ztB
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: OpenGL object (49.9%)
Lotus 123 Worksheet (generic) (25.0%)
MacBinary 2 header (12.5%)
BONK lossless/lossy audio compressor (12.4%)
MS Flight Simulator Aircraft Performance Info (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
THANKS
#13
JonTom
-
- Malware Team
-
- 5,496 posts
Teacher Emeritus
Posted 06 May 2010 - 11:34 AM
Hello ephillips
Thank you for the scan logs.
Thank you for the scan logs.
- Please work through the following steps
- Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
- NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
- Copy and Paste the text in the quotebox below into the open Notepad window:
File::
c:\program files\Common Files\yhiqi.ban
c:\documents and settings\All Users\SPL55.tmp
Folder::
c:\documents and settings\Erin\Application Data\Search Settings
c:\documents and settings\Erin\Application Data\Dealio
DirLook::
c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} - Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
- Close any open browsers.
- Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Refering to the picture below, drag CFScript.txt into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
- Once the log is produced, re-engage your resident anti virus.
- Clean out your temporary files
- Please download ATF Cleaner by Atribune by clicking here and save the file (called ATF-Cleaner.exe) to your desktop.
- Run the program by double clicking the ATF-Cleaner.exe icon located on your desktop.
- Check the boxes to the left of the following:
- Windows Temp
- Current User Temp
- All Users Temp
- Temporary Internet Files
- Java Cache
- The rest are optional. If you want to remove everything check the "Select All" box.
- Click on "Empty Selected" to begin cleaning.
- Once the "Done Cleaning" message appears, click OK.
- If you use Firefox, Click on the Firefox tab and repeat the above process.
- When you have finished cleaning, click on the "Exit" button in the main menu.
- Please perform the following scan:
- You have MalwareBytes AntiMalware installed.
- Double click on your MalwareBytes AntiMalware icon to launch the program.
- Click on the "Update" tab and then on "Check for Updates".
- The program will now install the latest Malware definition files.
- Once complete, click on the "Scanner" tab, select "Perform full scan"and then click on "Scan".
- Once the program has scanned your computer, a log file will be created in Notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
- When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
- The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
- Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
- Come back here to this thread and Paste the log in your next reply.
- Please perform the following scan:
- This is a very deep scan that can take many hours. In some instances you may need to let it run overnight. Please be patient.
- It is recommended that you disable your onboard antivirus program and antispyware programs while performing scans to eliminate software conflicts and to speed up scan time.
- DO NOT surf the net while your resident protection is disabled!
- Once the scan is finished remember to re-enable your resident antivirus protection along with whatever antispyware applications you use.
- Click on the Accept button and install any components it needs.
- The program will install and then begin downloading the latest definition files.
- After the files have been downloaded on the left side of the page in the Scan section select My Computer.
- This will start the program and scan your system.
- The scan will take a while, so be patient and let it run (at times it may appear to stall).
- Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
- Once the scan is complete, click on View scan report. To obtain the report:
- Click on: Save Report As
- Next, in the Save as prompt, Save in area, select: Desktop
- In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:Text file [*.txt]
- Then, click: Save
- Please post the Kaspersky Online Scanner Report in your reply.
- If you need help performing the above steps, an animated tutorial can be found here.
In your next reply please provide the ComboFix log, the MBAM log and the Kaspersky Online Scan log.
Also, please describe how your machine is behaving now. Are you still experiencing problems?
Would you like to help others? Join the Classroom and learn how.
Member of UNITE
Proud Graduate of the WTT Classroom
Member of UNITE
Proud Graduate of the WTT Classroom
#14
JonTom
-
- Malware Team
-
- 5,496 posts
Teacher Emeritus
Posted 09 May 2010 - 03:26 AM
Are you still with me?
Would you like to help others? Join the Classroom and learn how.
Member of UNITE
Proud Graduate of the WTT Classroom
Member of UNITE
Proud Graduate of the WTT Classroom
#15
ephillips
-
- Authentic Member
-
- 39 posts
Authentic Member
Posted 09 May 2010 - 08:32 AM
Yep, trying the deep scan again, it has shut down 3 times before completing it. The combofix went through with no issues to report, but I'll post the log here.
Thanks again.
ComboFix 10-05-05.0D - Erin 05/06/2010 16:58:00.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1319 [GMT -4:00]
Running from: c:\documents and settings\Erin\Desktop\ephillips.exe
Command switches used :: c:\documents and settings\Erin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\documents and settings\All Users\SPL55.tmp"
"c:\program files\Common Files\yhiqi.ban"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\SPL55.tmp
c:\documents and settings\Erin\Application Data\Dealio
c:\documents and settings\Erin\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Erin\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\documents and settings\Erin\Application Data\Search Settings
c:\documents and settings\Erin\Application Data\Search Settings\kb130\temp\ws-14731.log
c:\documents and settings\Erin\Application Data\Search Settings\kb130\temp\ws-14732.log
c:\documents and settings\Erin\Application Data\Search Settings\kb130\temp\ws-14733.log
c:\documents and settings\Erin\Application Data\Search Settings\kb130\temp\ws-14734.log
c:\program files\Common Files\yhiqi.ban
.
((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.
2010-05-05 01:48 . 2010-05-05 01:48 -------- d-----w- c:\windows\system32\Lang
2010-05-03 00:04 . 2010-05-03 00:04 15 ----a-w- c:\documents and settings\Erin\settings.dat
2010-05-02 22:41 . 2010-05-02 22:55 -------- d-----w- C:\v2d
2010-05-02 22:41 . 2010-05-02 22:58 -------- d-----w- c:\program files\Total Video2Dvd
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\program files\Application Updater
2010-05-02 22:16 . 2000-10-01 21:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2010-05-02 22:16 . 1999-03-25 21:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-05-02 22:16 . 1998-07-13 01:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2010-05-02 22:16 . 1998-07-13 01:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2010-05-02 22:16 . 1998-07-12 21:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\documents and settings\Erin\Application Data\FreeBurner
2010-05-02 19:25 . 2010-05-02 19:25 -------- d-----w- c:\program files\3ivx
2010-04-29 13:26 . 2010-04-29 13:27 -------- d-----w- c:\program files\ERUNT
2010-04-29 03:36 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 01:29 . 2003-01-26 17:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2010-04-21 20:54 . 2010-04-21 20:54 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\HandBrake
2010-04-21 20:54 . 2010-04-21 20:54 -------- d-----w- c:\documents and settings\Erin\Application Data\HandBrake
2010-04-21 20:54 . 2010-04-29 03:46 -------- d-----w- c:\program files\Handbrake
2010-04-21 20:32 . 2010-04-21 20:32 -------- d-----w- c:\windows\system32\windows media
2010-04-21 20:28 . 2010-04-21 20:28 -------- d-----w- c:\program files\Common Files\Protexis
2010-04-21 20:26 . 2010-04-21 20:56 -------- d-----w- c:\documents and settings\Erin\Application Data\Corel
2010-04-21 20:23 . 2010-04-21 20:27 -------- d-----w- c:\program files\Common Files\Corel
2010-04-21 20:22 . 2010-04-21 20:22 -------- d-----w- c:\program files\Windows Media Components
2010-04-21 20:22 . 2010-04-21 20:22 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-04-21 20:22 . 2007-10-22 07:39 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2010-04-21 20:22 . 2007-10-12 19:14 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2010-04-21 20:22 . 2007-10-12 19:14 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2010-04-21 20:22 . 2007-10-02 13:56 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2010-04-21 20:22 . 2007-07-20 04:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2010-04-21 20:22 . 2007-07-19 22:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2010-04-21 20:22 . 2007-07-19 22:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll
2010-04-21 17:14 . 2010-04-21 20:33 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\NOS
2010-04-19 00:15 . 2010-04-19 00:15 -------- d-----w- c:\program files\Flip Video
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\ImTOO
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\documents and settings\Erin\Application Data\ImTOO
2010-04-18 19:31 . 2010-04-18 19:32 -------- d-----w- c:\documents and settings\Erin\Application Data\Nero
2010-04-18 19:30 . 2010-04-18 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-04-18 17:46 . 2004-10-12 18:42 262144 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2010-04-18 17:46 . 2004-10-12 18:40 2255360 ----a-w- c:\windows\system32\libavcodec.dll
2010-04-18 17:46 . 2004-10-05 20:16 395776 ----a-w- c:\windows\system32\libmplayer.dll
2010-04-18 17:46 . 2004-10-04 05:50 112640 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2010-04-18 17:10 . 2010-04-18 17:46 -------- d-----w- c:\program files\Cucusoft
2010-04-18 17:10 . 2004-05-26 14:07 1153417 ----a-w- c:\windows\system32\cygwin1.dll
2010-04-18 17:10 . 2004-05-13 22:39 1208320 ----a-w- c:\windows\system32\cygxml2-2.dll
2010-04-18 17:10 . 2003-12-04 15:03 62464 ----a-w- c:\windows\system32\cygz.dll
2010-04-18 17:10 . 2003-08-11 08:59 980992 ----a-w- c:\windows\system32\cygiconv-2.dll
2010-04-18 16:54 . 2010-04-18 16:54 -------- d-----w- c:\documents and settings\Erin\Application Data\AnvSoft
2010-04-15 07:00 . 2010-04-15 07:00 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-04-14 11:40 . 2010-04-14 11:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-13 21:51 . 2010-04-13 21:51 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Search
2010-04-09 20:48 . 2010-04-09 20:48 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-04-07 17:16 . 2010-04-07 17:16 503808 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7a15473b-n\msvcp71.dll
2010-04-07 17:16 . 2010-04-07 17:16 499712 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7a15473b-n\jmc.dll
2010-04-07 17:16 . 2010-04-07 17:16 348160 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7a15473b-n\msvcr71.dll
2010-04-07 17:16 . 2010-04-07 17:16 61440 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5a77ce07-n\decora-sse.dll
2010-04-07 17:16 . 2010-04-07 17:16 12800 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5a77ce07-n\decora-d3d.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 12:35 . 2007-12-15 15:34 -------- d-----w- c:\program files\Google
2010-05-03 12:29 . 2008-09-24 20:28 5018 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-03 12:29 . 2008-09-24 20:28 5018 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-03 12:29 . 2008-09-24 20:28 248 --sh--r- c:\documents and settings\All Users\Application Data\E27CF4E0CB.sys
2010-05-03 12:29 . 2008-09-24 20:28 248 --sh--r- c:\documents and settings\All Users\Application Data\E27CF4E0CB.sys
2010-05-03 00:22 . 2010-01-27 21:33 -------- d-----w- c:\program files\LimeWire
2010-05-03 00:00 . 2007-12-15 15:47 -------- d-----w- c:\program files\WinAce
2010-05-02 22:51 . 2007-12-15 13:09 105752 ----a-w- c:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 17:52 . 2008-04-14 15:23 -------- d-----w- c:\program files\Infogrames Interactive
2010-05-02 17:52 . 2007-12-15 13:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 15:37 . 2009-10-15 21:04 -------- d-----w- c:\program files\Orb Networks
2010-04-30 19:50 . 2008-09-16 19:48 -------- d-----w- c:\program files\SpywareGuard
2010-04-29 11:32 . 2009-01-16 20:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 04:01 . 2009-03-25 11:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2010-04-29 03:46 . 2007-12-25 14:23 -------- d-----w- c:\program files\Kids Cam Show and Share Creativity Center
2010-04-29 03:36 . 2008-01-01 21:19 -------- d-----w- c:\program files\Java
2010-04-21 23:56 . 2008-07-02 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-04-21 20:32 . 2008-08-13 19:21 -------- d-----w- c:\documents and settings\Erin\Application Data\Ulead Systems
2010-04-21 20:31 . 2008-08-13 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-04-21 20:31 . 2008-10-26 23:05 -------- d-----w- c:\program files\Corel
2010-04-21 20:30 . 2008-08-15 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-04-21 17:31 . 2009-07-26 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-21 17:14 . 2009-07-26 14:55 -------- d-----w- c:\program files\NOS
2010-04-15 07:04 . 2007-12-16 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-07 17:17 . 2008-09-15 12:22 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 12:45 . 2010-03-30 04:24 -------- d-----w- c:\program files\Windows Desktop Search
2010-03-30 04:32 . 2010-03-30 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-03-30 04:32 . 2010-03-30 04:32 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-30 04:24 . 2010-03-30 04:24 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Desktop Search
2010-03-30 03:57 . 2008-03-08 16:09 -------- d-----w- c:\program files\Dvd-cloner
2010-03-25 04:32 . 2008-03-05 10:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ThumbnailCache4R
2010-03-24 14:49 . 2010-02-11 02:20 50354 ----a-w- c:\documents and settings\Erin\Application Data\Facebook\uninstall.exe
2010-03-24 14:49 . 2010-03-24 14:49 2114184 ----a-w- c:\documents and settings\Erin\Application Data\Facebook\Install_Facebook_Plug-In_1.0.3.exe
2010-03-24 14:49 . 2010-02-11 02:20 -------- d-----w- c:\documents and settings\Erin\Application Data\Facebook
2010-03-11 21:39 . 2010-03-11 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 02:32 . 2010-03-09 02:32 -------- d-----w- c:\documents and settings\Erin\Application Data\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2010-03-09 02:32 . 2010-03-09 02:32 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-09 02:31 . 2010-03-09 02:32 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-09 02:31 . 2008-08-31 15:07 38784 ----a-w- c:\documents and settings\Erin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-09 02:30 . 2010-03-08 19:41 -------- d-----w- c:\program files\MyPublisher
2010-03-08 19:29 . 2008-10-09 03:19 -------- d-----w- c:\program files\BookSmart
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Erin\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-02-28 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2008-09-15 20:46 . 2008-08-15 12:15 88 --sh--r- c:\windows\system32\E27CF4E0CB.sys
2008-09-15 20:46 . 2008-08-15 12:11 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} ----
2009-03-25 11:36 . 2009-03-25 11:36 90 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\instance.dat
2009-03-25 11:36 . 2010-04-29 04:01 487 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.dat
2009-03-25 11:36 . 2009-03-25 11:36 9 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.lan
2009-03-25 11:36 . 2009-03-25 11:36 9318 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.par
2009-03-25 11:36 . 2009-03-12 08:17 5115615 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.res
2009-03-25 11:36 . 2009-03-12 08:17 578782 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\mia.lib
2009-03-25 11:36 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-03-25 11:36 . 2009-03-12 08:17 1802240 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.msi
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2010-04-14 524944]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-04-14 105632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-22 455344]
"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]
"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" [2007-06-22 307888]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2008-03-13 128256]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-08 524632]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-21 113664]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 12:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdkcoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkwbgw.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\frun.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/25/2009 7:40 AM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/2/2008 12:44 PM 335240]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/8/2010 12:51 AM 380928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 5:16 PM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [6/14/2007 4:15 AM 99248]
S3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [2/13/2008 2:17 PM 618112]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-05-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {6BF35011-3AE5-44D3-A8BB-73ED462A0BC0} - hxxp://ezprints.mye-pix.com/software/ezuploader.cab
DPF: {B87A4DE2-57A3-41CA-8781-89D43EA6EEF4} - hxxp://videomessages.live.com/Portal/ClientBin/VCaptCtl.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
DPF: {D53A9247-2FEA-4E93-8EEE-9A9B07E8D760} - hxxp://www.ezprints.com/software/cropfit.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 17:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1409082233-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-05-06 17:08:53
ComboFix-quarantined-files.txt 2010-05-06 21:08
ComboFix2.txt 2010-05-05 02:02
ComboFix3.txt 2009-01-31 15:21
ComboFix4.txt 2009-01-16 19:45
ComboFix5.txt 2010-05-06 20:57
Pre-Run: 173,457,506,304 bytes free
Post-Run: 173,519,728,640 bytes free
- - End Of File - - 1BE7B93382BAF22551E87176ECD5A671
Thanks again.
ComboFix 10-05-05.0D - Erin 05/06/2010 16:58:00.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1319 [GMT -4:00]
Running from: c:\documents and settings\Erin\Desktop\ephillips.exe
Command switches used :: c:\documents and settings\Erin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\documents and settings\All Users\SPL55.tmp"
"c:\program files\Common Files\yhiqi.ban"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\SPL55.tmp
c:\documents and settings\Erin\Application Data\Dealio
c:\documents and settings\Erin\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Erin\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\documents and settings\Erin\Application Data\Search Settings
c:\documents and settings\Erin\Application Data\Search Settings\kb130\temp\ws-14731.log
c:\documents and settings\Erin\Application Data\Search Settings\kb130\temp\ws-14732.log
c:\documents and settings\Erin\Application Data\Search Settings\kb130\temp\ws-14733.log
c:\documents and settings\Erin\Application Data\Search Settings\kb130\temp\ws-14734.log
c:\program files\Common Files\yhiqi.ban
.
((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.
2010-05-05 01:48 . 2010-05-05 01:48 -------- d-----w- c:\windows\system32\Lang
2010-05-03 00:04 . 2010-05-03 00:04 15 ----a-w- c:\documents and settings\Erin\settings.dat
2010-05-02 22:41 . 2010-05-02 22:55 -------- d-----w- C:\v2d
2010-05-02 22:41 . 2010-05-02 22:58 -------- d-----w- c:\program files\Total Video2Dvd
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\program files\Application Updater
2010-05-02 22:16 . 2000-10-01 21:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2010-05-02 22:16 . 1999-03-25 21:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-05-02 22:16 . 1998-07-13 01:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2010-05-02 22:16 . 1998-07-13 01:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2010-05-02 22:16 . 1998-07-12 21:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\documents and settings\Erin\Application Data\FreeBurner
2010-05-02 19:25 . 2010-05-02 19:25 -------- d-----w- c:\program files\3ivx
2010-04-29 13:26 . 2010-04-29 13:27 -------- d-----w- c:\program files\ERUNT
2010-04-29 03:36 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 01:29 . 2003-01-26 17:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2010-04-21 20:54 . 2010-04-21 20:54 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\HandBrake
2010-04-21 20:54 . 2010-04-21 20:54 -------- d-----w- c:\documents and settings\Erin\Application Data\HandBrake
2010-04-21 20:54 . 2010-04-29 03:46 -------- d-----w- c:\program files\Handbrake
2010-04-21 20:32 . 2010-04-21 20:32 -------- d-----w- c:\windows\system32\windows media
2010-04-21 20:28 . 2010-04-21 20:28 -------- d-----w- c:\program files\Common Files\Protexis
2010-04-21 20:26 . 2010-04-21 20:56 -------- d-----w- c:\documents and settings\Erin\Application Data\Corel
2010-04-21 20:23 . 2010-04-21 20:27 -------- d-----w- c:\program files\Common Files\Corel
2010-04-21 20:22 . 2010-04-21 20:22 -------- d-----w- c:\program files\Windows Media Components
2010-04-21 20:22 . 2010-04-21 20:22 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-04-21 20:22 . 2007-10-22 07:39 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2010-04-21 20:22 . 2007-10-12 19:14 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2010-04-21 20:22 . 2007-10-12 19:14 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2010-04-21 20:22 . 2007-10-02 13:56 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2010-04-21 20:22 . 2007-07-20 04:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2010-04-21 20:22 . 2007-07-19 22:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2010-04-21 20:22 . 2007-07-19 22:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll
2010-04-21 17:14 . 2010-04-21 20:33 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\NOS
2010-04-19 00:15 . 2010-04-19 00:15 -------- d-----w- c:\program files\Flip Video
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\ImTOO
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\documents and settings\Erin\Application Data\ImTOO
2010-04-18 19:31 . 2010-04-18 19:32 -------- d-----w- c:\documents and settings\Erin\Application Data\Nero
2010-04-18 19:30 . 2010-04-18 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-04-18 17:46 . 2004-10-12 18:42 262144 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2010-04-18 17:46 . 2004-10-12 18:40 2255360 ----a-w- c:\windows\system32\libavcodec.dll
2010-04-18 17:46 . 2004-10-05 20:16 395776 ----a-w- c:\windows\system32\libmplayer.dll
2010-04-18 17:46 . 2004-10-04 05:50 112640 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2010-04-18 17:10 . 2010-04-18 17:46 -------- d-----w- c:\program files\Cucusoft
2010-04-18 17:10 . 2004-05-26 14:07 1153417 ----a-w- c:\windows\system32\cygwin1.dll
2010-04-18 17:10 . 2004-05-13 22:39 1208320 ----a-w- c:\windows\system32\cygxml2-2.dll
2010-04-18 17:10 . 2003-12-04 15:03 62464 ----a-w- c:\windows\system32\cygz.dll
2010-04-18 17:10 . 2003-08-11 08:59 980992 ----a-w- c:\windows\system32\cygiconv-2.dll
2010-04-18 16:54 . 2010-04-18 16:54 -------- d-----w- c:\documents and settings\Erin\Application Data\AnvSoft
2010-04-15 07:00 . 2010-04-15 07:00 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-04-14 11:40 . 2010-04-14 11:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-13 21:51 . 2010-04-13 21:51 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Search
2010-04-09 20:48 . 2010-04-09 20:48 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-04-07 17:16 . 2010-04-07 17:16 503808 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7a15473b-n\msvcp71.dll
2010-04-07 17:16 . 2010-04-07 17:16 499712 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7a15473b-n\jmc.dll
2010-04-07 17:16 . 2010-04-07 17:16 348160 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7a15473b-n\msvcr71.dll
2010-04-07 17:16 . 2010-04-07 17:16 61440 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5a77ce07-n\decora-sse.dll
2010-04-07 17:16 . 2010-04-07 17:16 12800 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5a77ce07-n\decora-d3d.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 12:35 . 2007-12-15 15:34 -------- d-----w- c:\program files\Google
2010-05-03 12:29 . 2008-09-24 20:28 5018 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-03 12:29 . 2008-09-24 20:28 5018 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-03 12:29 . 2008-09-24 20:28 248 --sh--r- c:\documents and settings\All Users\Application Data\E27CF4E0CB.sys
2010-05-03 12:29 . 2008-09-24 20:28 248 --sh--r- c:\documents and settings\All Users\Application Data\E27CF4E0CB.sys
2010-05-03 00:22 . 2010-01-27 21:33 -------- d-----w- c:\program files\LimeWire
2010-05-03 00:00 . 2007-12-15 15:47 -------- d-----w- c:\program files\WinAce
2010-05-02 22:51 . 2007-12-15 13:09 105752 ----a-w- c:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 17:52 . 2008-04-14 15:23 -------- d-----w- c:\program files\Infogrames Interactive
2010-05-02 17:52 . 2007-12-15 13:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 15:37 . 2009-10-15 21:04 -------- d-----w- c:\program files\Orb Networks
2010-04-30 19:50 . 2008-09-16 19:48 -------- d-----w- c:\program files\SpywareGuard
2010-04-29 11:32 . 2009-01-16 20:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 04:01 . 2009-03-25 11:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2010-04-29 03:46 . 2007-12-25 14:23 -------- d-----w- c:\program files\Kids Cam Show and Share Creativity Center
2010-04-29 03:36 . 2008-01-01 21:19 -------- d-----w- c:\program files\Java
2010-04-21 23:56 . 2008-07-02 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-04-21 20:32 . 2008-08-13 19:21 -------- d-----w- c:\documents and settings\Erin\Application Data\Ulead Systems
2010-04-21 20:31 . 2008-08-13 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-04-21 20:31 . 2008-10-26 23:05 -------- d-----w- c:\program files\Corel
2010-04-21 20:30 . 2008-08-15 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-04-21 17:31 . 2009-07-26 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-21 17:14 . 2009-07-26 14:55 -------- d-----w- c:\program files\NOS
2010-04-15 07:04 . 2007-12-16 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-07 17:17 . 2008-09-15 12:22 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 12:45 . 2010-03-30 04:24 -------- d-----w- c:\program files\Windows Desktop Search
2010-03-30 04:32 . 2010-03-30 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-03-30 04:32 . 2010-03-30 04:32 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-30 04:24 . 2010-03-30 04:24 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Desktop Search
2010-03-30 03:57 . 2008-03-08 16:09 -------- d-----w- c:\program files\Dvd-cloner
2010-03-25 04:32 . 2008-03-05 10:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ThumbnailCache4R
2010-03-24 14:49 . 2010-02-11 02:20 50354 ----a-w- c:\documents and settings\Erin\Application Data\Facebook\uninstall.exe
2010-03-24 14:49 . 2010-03-24 14:49 2114184 ----a-w- c:\documents and settings\Erin\Application Data\Facebook\Install_Facebook_Plug-In_1.0.3.exe
2010-03-24 14:49 . 2010-02-11 02:20 -------- d-----w- c:\documents and settings\Erin\Application Data\Facebook
2010-03-11 21:39 . 2010-03-11 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 02:32 . 2010-03-09 02:32 -------- d-----w- c:\documents and settings\Erin\Application Data\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2010-03-09 02:32 . 2010-03-09 02:32 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-09 02:31 . 2010-03-09 02:32 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-09 02:31 . 2008-08-31 15:07 38784 ----a-w- c:\documents and settings\Erin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-09 02:30 . 2010-03-08 19:41 -------- d-----w- c:\program files\MyPublisher
2010-03-08 19:29 . 2008-10-09 03:19 -------- d-----w- c:\program files\BookSmart
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Erin\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-02-28 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2008-09-15 20:46 . 2008-08-15 12:15 88 --sh--r- c:\windows\system32\E27CF4E0CB.sys
2008-09-15 20:46 . 2008-08-15 12:11 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} ----
2009-03-25 11:36 . 2009-03-25 11:36 90 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\instance.dat
2009-03-25 11:36 . 2010-04-29 04:01 487 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.dat
2009-03-25 11:36 . 2009-03-25 11:36 9 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.lan
2009-03-25 11:36 . 2009-03-25 11:36 9318 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.par
2009-03-25 11:36 . 2009-03-12 08:17 5115615 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.res
2009-03-25 11:36 . 2009-03-12 08:17 578782 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\mia.lib
2009-03-25 11:36 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-03-25 11:36 . 2009-03-12 08:17 1802240 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.msi
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2010-04-14 524944]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-04-14 105632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-22 455344]
"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]
"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" [2007-06-22 307888]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2008-03-13 128256]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-08 524632]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-21 113664]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 12:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdkcoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkwbgw.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\frun.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/25/2009 7:40 AM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/2/2008 12:44 PM 335240]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/8/2010 12:51 AM 380928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 5:16 PM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [6/14/2007 4:15 AM 99248]
S3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [2/13/2008 2:17 PM 618112]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-05-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {6BF35011-3AE5-44D3-A8BB-73ED462A0BC0} - hxxp://ezprints.mye-pix.com/software/ezuploader.cab
DPF: {B87A4DE2-57A3-41CA-8781-89D43EA6EEF4} - hxxp://videomessages.live.com/Portal/ClientBin/VCaptCtl.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
DPF: {D53A9247-2FEA-4E93-8EEE-9A9B07E8D760} - hxxp://www.ezprints.com/software/cropfit.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 17:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1409082233-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-05-06 17:08:53
ComboFix-quarantined-files.txt 2010-05-06 21:08
ComboFix2.txt 2010-05-05 02:02
ComboFix3.txt 2009-01-31 15:21
ComboFix4.txt 2009-01-16 19:45
ComboFix5.txt 2010-05-06 20:57
Pre-Run: 173,457,506,304 bytes free
Post-Run: 173,519,728,640 bytes free
- - End Of File - - 1BE7B93382BAF22551E87176ECD5A671
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
