Jump to content

Build Theme!
  •  
  • Infected?

Photo

[Closed] spontaneous shut down and slow running


  • This topic is locked This topic is locked
19 replies to this topic

#1 ephillips

ephillips

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 29 April 2010 - 09:11 AM

My computer has been experiencing sporadic shut downs for about 2 weeks now. I went through the steps of what to do before posting a topic, but when I attempted the Gmer scan, it shuts down about 5 minutes into it. I ran a Malwarebyte scan hich shows no threats, I also attempted to complete a Spybot Search & Destroy scan and it shuts down at around the 45% mark each of the 3 times I tried. During those scans 3 issues came up: Fraud.VirusRemover2009 , Fraud.XPAntivirus , and Virtumond.atr. I saw that it was always scanning another Virtumonde file when it shuts down. At every start up, I get the message RUNDLL Error Loading C:\windows\system32\kabufoti.dll and I don't know what that is and can't find it in any searches. The computer has been noteably slower and seems to take longer at start up that it used to. I was able set the restore point, get the ERUNT done, and get the DDS report. I am including the Attach.txt, DDS.txt, & Malwarebytes log. DDS (Ver_09-06-26.01) - NTFSx86 Run by Erin at 9:40:49.48 on Thu 04/29/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1041 [GMT -4:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\PixArt\PAC207\Monitor.exe C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe C:\Program Files\Lexmark 5300 Series\lxdkmon.exe C:\Program Files\Lexmark 5300 Series\lxdkamon.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Orb Networks\Orb\bin\OrbLauncher.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\Program Files\SpywareGuard\sgmain.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Orb Networks\Orb\bin\Orb.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe C:\Program Files\Flip Video\FlipShare\FlipShareService.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdkserv.exe C:\WINDOWS\system32\lxdkcoms.exe C:\WINDOWS\system32\PSIService.exe C:\Program Files\Internet Explorer\iexplore.exe c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Corel\Standby\Standby.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Documents and Settings\Erin\Local Settings\Temporary Internet Files\Content.IE5\YFJZPDU0\dds[1].scr ============== Pseudo HJT Report =============== uStart Page = hxxp://aol.com/ uInternet Settings,ProxyOverride = *.local BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll EB: {E16DC1FE-7C34-43F2-B754-F3AD12DDF97C} - No File uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background uRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.4; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)" -"http://www.cartoonne...ack/index.html" mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [SkyTel] SkyTel.EXE mRun: [RTHDCPL] RTHDCPL.EXE mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe mRun: [JMB36X Configure] c:\windows\system32\JMRaidSetup.exe boot mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [DACSMiniApp] c:\program files\fisher-price\dacs\miniapp\DACSMiniApp.exe mRun: [lxdkmon.exe] "c:\program files\lexmark 5300 series\lxdkmon.exe" mRun: [lxdkamon] "c:\program files\lexmark 5300 series\lxdkamon.exe" mRun: [Lexmark 5300 Series Fax Server] "c:\program files\lexmark 5300 series\fm3032.exe" /s mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe mRun: [Orb] "c:\program files\orb networks\orb\bin\OrbLauncher.exe" /background mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [fadagohar] Rundll32.exe "c:\windows\system32\kabifoti.dll",a mRun: [nwiz] nwiz.exe /installquiet mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [Corel File Shell Monitor] c:\program files\corel\corel paintshop photo pro\x3\pspclassic\CorelIOMonitor.exe mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START StartupFolder: c:\docume~1\erin\startm~1\programs\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe StartupFolder: c:\docume~1\erin\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE StartupFolder: c:\docume~1\erin\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE StartupFolder: c:\docume~1\erin\startm~1\programs\startup\picaboo.lnk - c:\program files\picaboo\picaboo\PicabooMain.exe StartupFolder: c:\docume~1\erin\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe dPolicies-explorer: NoSetActiveDesktop = 1 (0x1) IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq005.webiqonline.com/WebIQ/DataServer/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9} DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/binary/MJSS.cab69309.cab DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197724327218 DPF: {6BF35011-3AE5-44D3-A8BB-73ED462A0BC0} - hxxp://ezprints.mye-pix.com/software/ezuploader.cab DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://upload.smugmug.com/photos/activex/ImageUploader4-082807.cab DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - hxxp://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab DPF: {B87A4DE2-57A3-41CA-8781-89D43EA6EEF4} - hxxp://videomessages.live.com/Portal/ClientBin/VCaptCtl.cab DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe DPF: {D53A9247-2FEA-4E93-8EEE-9A9B07E8D760} - hxxp://www.ezprints.com/software/cropfit.cab DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - hxxp://messenger.zone.msn.com/binary/WoF.cab57176.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll AppInit_DLLs: wawavara.dll c:\windows\system32\kabifoti.dll c:\windows\system32\hedafatu.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SSODL: hugamunom - {592b04eb-0fcc-44a0-847b-5a47513fd919} - c:\windows\system32\hedafatu.dll SSODL: gobavivoj - {c9cac425-2a87-4d7b-a4b8-66798831dd86} - c:\windows\system32\hedafatu.dll SSODL: merojozus - {610a94d8-9e65-4e3d-8412-ac72ea780a1e} - c:\windows\system32\hedafatu.dll SSODL: muwarakos - {92ade6b1-c695-4db2-b6b2-caaa3e2237e1} - c:\windows\system32\hedafatu.dll SSODL: zamezakif - {63431ed0-8fe0-4fd2-8913-5d13302864de} - c:\windows\system32\kabifoti.dll STS: kupuhivus: {592b04eb-0fcc-44a0-847b-5a47513fd919} - c:\windows\system32\hedafatu.dll STS: jugezatag: {c9cac425-2a87-4d7b-a4b8-66798831dd86} - c:\windows\system32\hedafatu.dll STS: mujuzedij: {610a94d8-9e65-4e3d-8412-ac72ea780a1e} - c:\windows\system32\hedafatu.dll STS: kupuhivus: {92ade6b1-c695-4db2-b6b2-caaa3e2237e1} - c:\windows\system32\hedafatu.dll STS: tokatiluy: {63431ed0-8fe0-4fd2-8913-5d13302864de} - c:\windows\system32\kabifoti.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll LSA: Notification Packages = scecli jubimiso.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\erin\applic~1\mozilla\firefox\profiles\jvtygnv1.default\ FF - plugin: c:\documents and settings\erin\application data\facebook\npfbplugin_1_0_1.dll FF - plugin: c:\documents and settings\erin\application data\facebook\npfbplugin_1_0_3.dll FF - plugin: c:\documents and settings\erin\local settings\application data\yahoo!\browserplus\2.7.1\plugins\npybrowserplus_2.7.1.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\microsoft\office live\npOLW.dll FF - plugin: c:\program files\mozilla firefox\plugins\np_IEGetPlugin.dll FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - HiddenExtension: XUL Cache: {67DB1A0C-5BF0-4BAB-881F-EEDA03D81E7A} - c:\documents and settings\erin\local settings\application data\{67DB1A0C-5BF0-4BAB-881F-EEDA03D81E7A} FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-25 64160] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-2 335240] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-12-15 27784] R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-1 297752] R2 FlipShare Service;FlipShare Service;c:\program files\flip video\flipshare\FlipShareService.exe [2009-11-19 455944] R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-2-23 55152] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456] R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?] R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [2007-6-14 99248] R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-17 135664] S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360] S3 getPlusHelper;getPlus® Installer;c:\windows\system32\svchost.exe -k getPlusHelper [2006-2-28 14336] S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys --> c:\windows\system32\drivers\jl2005c.sys [?] S3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [2008-2-13 618112] =============== Created Last 30 ================ 2010-04-28 23:36 411,368 a------- c:\windows\system32\deployJava1.dll 2010-04-28 21:34 <DIR> --d----- c:\docume~1\erin\applic~1\DVD Flick 2010-04-28 21:29 662,288 a------- c:\windows\system32\mscomct2.ocx 2010-04-28 21:29 609,824 a------- c:\windows\system32\comctl32.ocx 2010-04-28 21:29 164,144 a------- c:\windows\system32\comct232.ocx 2010-04-28 21:29 40,960 a------- c:\windows\system32\ssubtmr6.dll 2010-04-28 21:29 36,864 a------- c:\windows\system32\trayicon_handler.ocx 2010-04-28 21:29 28,672 a------- c:\windows\system32\mousewheel.ocx 2010-04-28 21:29 <DIR> --d----- c:\program files\DVD Flick 2010-04-21 16:54 <DIR> --d----- c:\docume~1\erin\applic~1\HandBrake 2010-04-21 16:54 <DIR> --d----- c:\program files\Handbrake 2010-04-21 16:32 <DIR> --d----- c:\windows\system32\windows media 2010-04-21 16:28 <DIR> --d----- c:\program files\common files\Protexis 2010-04-21 16:23 <DIR> --d----- c:\program files\common files\Corel 2010-04-21 16:22 <DIR> --d----- c:\program files\Windows Media Components 2010-04-21 16:22 <DIR> --d----- c:\program files\common files\Ulead Systems 2010-04-21 16:22 3,734,536 a------- c:\windows\system32\d3dx9_36.dll 2010-04-21 16:22 1,374,232 a------- c:\windows\system32\D3DCompiler_36.dll 2010-04-21 16:22 444,776 a------- c:\windows\system32\d3dx10_36.dll 2010-04-21 16:22 267,272 a------- c:\windows\system32\xactengine2_10.dll 2010-04-21 16:22 1,358,192 a------- c:\windows\system32\D3DCompiler_35.dll 2010-04-21 16:22 444,776 a------- c:\windows\system32\d3dx10_35.dll 2010-04-21 16:22 267,112 a------- c:\windows\system32\xactengine2_9.dll 2010-04-18 20:15 <DIR> --d----- c:\program files\Flip Video 2010-04-18 16:02 <DIR> --d----- c:\docume~1\erin\applic~1\ImTOO 2010-04-18 15:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero 2010-04-18 13:46 1,761,280 a------- c:\windows\system32\ffdshow.ax 2010-04-18 13:46 262,144 a------- c:\windows\system32\TomsMoComp_ff.dll 2010-04-18 13:46 2,255,360 a------- c:\windows\system32\libavcodec.dll 2010-04-18 13:46 395,776 a------- c:\windows\system32\libmplayer.dll 2010-04-18 13:46 172,032 a------- c:\windows\system32\ac3filter.ax 2010-04-18 13:46 112,640 a------- c:\windows\system32\libmpeg2_ff.dll 2010-04-18 13:10 1,208,320 a------- c:\windows\system32\cygxml2-2.dll 2010-04-18 13:10 1,153,417 a------- c:\windows\system32\cygwin1.dll 2010-04-18 13:10 980,992 a------- c:\windows\system32\cygiconv-2.dll 2010-04-18 13:10 139,264 a------- c:\windows\system32\Mpeg2Decoder.ax 2010-04-18 13:10 94,208 a------- c:\windows\system32\Mpeg2Parser.ax 2010-04-18 13:10 62,464 a------- c:\windows\system32\cygz.dll 2010-04-18 13:10 <DIR> --d----- c:\program files\Cucusoft 2010-04-18 12:54 <DIR> --d----- c:\docume~1\erin\applic~1\AnvSoft 2010-04-13 17:51 <DIR> --d----- c:\docume~1\erin\applic~1\Windows Search 2010-03-30 12:50 <DIR> --dsh--- c:\documents and settings\erin\IECompatCache ==================== Find3M ==================== 2010-04-26 17:11 5,018 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys 2010-04-26 17:09 248 ---shr-- c:\docume~1\alluse~1\applic~1\E27CF4E0CB.sys 2010-03-10 02:15 420,352 a------- c:\windows\system32\vbscript.dll 2010-03-08 08:41 15,688 a------- c:\windows\system32\lsdelete.exe 2010-02-25 02:24 916,480 a------- c:\windows\system32\wininet.dll 2010-02-19 19:47 3,604,480 a------- c:\windows\system32\GPhotos.scr 2010-02-16 10:08 2,146,304 a------- c:\windows\system32\ntoskrnl.exe 2010-02-16 09:25 2,024,448 a------- c:\windows\system32\ntkrnlpa.exe 2010-02-12 00:33 100,864 a------- c:\windows\system32\6to4svc.dll 2009-09-07 20:58 13,643 a------- c:\program files\common files\yhiqi.ban 2008-09-15 16:46 88 ---shr-- c:\windows\system32\E27CF4E0CB.sys 2008-09-15 16:46 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 9:41:30.07 =============== Malwarebytes' Anti-Malware 1.28 Database version: 1159 Windows 5.1.2600 Service Pack 3 4/29/2010 9:38:44 AM mbam-log-2010-04-29 (09-38-44).txt Scan type: Quick Scan Objects scanned: 61391 Time elapsed: 7 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Attached Files



#2 JonTom

JonTom

    SuperHelper

  • Classroom Teacher
  • 5,198 posts

Posted 29 April 2010 - 03:33 PM

Hello ephillips and :welcome:

My name is JonTom.

  • Malware Logs can sometimes take a lot of time to research and interpret.
  • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
  • PLEASE NOTE: If you do not reply after 5 days your thread will be closed.

  • Please be aware that I am still in training, and all of my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advice.
  • This may cause a delay in response time, but I will do my best to keep it as short as possible.
  • I will reply back shortly with instructions.


#3 JonTom

JonTom

    SuperHelper

  • Classroom Teacher
  • 5,198 posts

Posted 30 April 2010 - 05:23 AM

Hello ephillips

Thank you for the logs. Before we begin cleaning your system, please work your way through the following steps:

  • Security Programs


    • I can see from your log that you have a number of real-time security programs running, namely Ad-Aware, SpywareGuard v2.2 and AVG.
    • Whilst both of these programs provide good security, they may clash with each other which can leave your system vulnerable to infection.
    • Please make sure that you only have ONE Firewall and ONE real-time Antivirus running on your system.

  • GMER


    • If you are having trouble getting GMER to complete a scan, please run it again, but this time uncheck everything EXCEPT "Sections" and "C:\".
    • If GMER does not produce a log please try running it from Safe Mode:

    • How to use the F8 method to Start Your Computer in Safe Mode

    • Restart your computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
    • Use the arrow keys to select the Safe mode menu item.
    • Press Enter.

    • If GMER in safe mode does not work, please try RootRepeal:

  • RootRepeal


    • Please download RootRepeal to your desktop
    • Physically disconnect your machine from the internet as your system will be unprotected.
    • Unzip it to it's own folder, close all other programs especially your security programs (anti-spyware, anti-virus, and firewall) and run RootRepeal.exe
    • Click the Report tab at the bottom and then the Scan button.
    • A box will pop up, check the boxes beside Drivers, Files, Processes SSDT and click OK.
    • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
    • The scan will take a little while to run, so let it go unhindered.
    • Once it is done, click the "Save Report" button, call it RepealScan and save the log to your desktop.
    • Reconnect to the internet.

    Please provide the GMER/Rootrepeal log in your next reply. If you are still having trouble, come back and let me know.


#4 ephillips

ephillips

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 30 April 2010 - 03:54 PM

I removed the SpyGuard program & restarted. I can't run the Gmer scan. I started the computer in the safe mode 4 times and it would shut off before the windows start up page would even come up. I started it in the normal mode, and started Gmer scan and it sut down again. Is there something else I can do right now before the Gmer scan?

#5 JonTom

JonTom

    SuperHelper

  • Classroom Teacher
  • 5,198 posts

Posted 01 May 2010 - 05:25 AM

Hello ephillips

Thank you for letting me know. The Malware on your system is interfering with our tools.

Please try the following before running GMER.

  • DeFogger


    • Please download DeFogger to your desktop.
    • Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.

  • exeHelper


    • Please download exeHelper by clicking here and save the file (called exeHelper.com) to your desktop.
    • Double click on exeHelper.com to run the fix.
    • A black window should pop up. Press any key to close once the fix is completed.
    • Post the contents of log.txt (it Will be created in the directory where you ran exeHelper.com).
    • NOTE: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    If you are still having trouble running GMER, try running RootRepeal (instructions in previous post).

    Post the logs if they are created, otherwise come back and we will try something else :)


#6 ephillips

ephillips

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 02 May 2010 - 08:28 PM

I ran RootRepeal and will post the log for you here and also the defogger log. Also I ran GMER 7 times, each time it shuts down. While out of the house today, tried to perform a system restore to a date in March and "Did some other things to figure out why its shutting down" and then proceeded to downloand a few applications without telling me. I have deleted those applications and also re-ran ERUNT, DDs, Defogger, exehelper & the malwarebyte scans and have those logs as well if you need them. Here is the RootReport & Defogger log ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2010/05/02 21:12 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: 1394BUS.SYS Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS Address: 0xB80C8000 Size: 57344 File Visible: - Signed: - Status: - Name: ACPI.sys Image Path: ACPI.sys Address: 0xB7F79000 Size: 187776 File Visible: - Signed: - Status: - Name: ACPI_HAL Image Path: \Driver\ACPI_HAL Address: 0x804D7000 Size: 2150400 File Visible: - Signed: - Status: - Name: afd.sys Image Path: C:\WINDOWS\System32\drivers\afd.sys Address: 0xA81D6000 Size: 138496 File Visible: - Signed: - Status: - Name: arp1394.sys Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys Address: 0xAD982000 Size: 60800 File Visible: - Signed: - Status: - Name: ASACPI.sys Image Path: C:\WINDOWS\system32\DRIVERS\ASACPI.sys Address: 0xB85F2000 Size: 5152 File Visible: - Signed: - Status: - Name: atapi.sys Image Path: atapi.sys Address: 0xB7F31000 Size: 96512 File Visible: - Signed: - Status: - Name: ATMFD.DLL Image Path: C:\WINDOWS\System32\ATMFD.DLL Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: - Status: - Name: audstub.sys Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys Address: 0xB8721000 Size: 3072 File Visible: - Signed: - Status: - Name: avgldx86.sys Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys Address: 0xA80EA000 Size: 328576 File Visible: - Signed: - Status: - Name: avgmfx86.sys Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys Address: 0xAC1CD000 Size: 21120 File Visible: - Signed: - Status: - Name: Beep.SYS Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS Address: 0xB8660000 Size: 4224 File Visible: - Signed: - Status: - Name: BOOTVID.dll Image Path: C:\WINDOWS\system32\BOOTVID.dll Address: 0xB84B8000 Size: 12288 File Visible: - Signed: - Status: - Name: Cdfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS Address: 0xAA856000 Size: 63744 File Visible: - Signed: - Status: - Name: cdrom.sys Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys Address: 0xB8258000 Size: 62976 File Visible: - Signed: - Status: - Name: CLASSPNP.SYS Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS Address: 0xB8118000 Size: 53248 File Visible: - Signed: - Status: - Name: disk.sys Image Path: disk.sys Address: 0xB8108000 Size: 36352 File Visible: - Signed: - Status: - Name: drmk.sys Image Path: C:\WINDOWS\system32\drivers\drmk.sys Address: 0xAD9C2000 Size: 61440 File Visible: - Signed: - Status: - Name: dump_nvata.sys Image Path: C:\WINDOWS\System32\Drivers\dump_nvata.sys Address: 0xA24B1000 Size: 102400 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xB864E000 Size: 8192 File Visible: No Signed: - Status: - Name: Dxapi.sys Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys Address: 0xA3244000 Size: 12288 File Visible: - Signed: - Status: - Name: dxg.sys Image Path: C:\WINDOWS\System32\drivers\dxg.sys Address: 0xBD000000 Size: 73728 File Visible: - Signed: - Status: - Name: dxgthk.sys Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys Address: 0xB8734000 Size: 4096 File Visible: - Signed: - Status: - Name: fdc.sys Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys Address: 0xB8430000 Size: 27392 File Visible: - Signed: - Status: - Name: Fips.SYS Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS Address: 0xAD972000 Size: 44544 File Visible: - Signed: - Status: - Name: flpydisk.sys Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys Address: 0xAE956000 Size: 20480 File Visible: - Signed: - Status: - Name: fltmgr.sys Image Path: fltmgr.sys Address: 0xB7EE0000 Size: 129792 File Visible: - Signed: - Status: - Name: Fs_Rec.SYS Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS Address: 0xB865E000 Size: 7936 File Visible: - Signed: - Status: - Name: fssfltr_tdi.sys Image Path: C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys Address: 0xB5430000 Size: 48128 File Visible: - Signed: - Status: - Name: ftdisk.sys Image Path: ftdisk.sys Address: 0xB7F49000 Size: 125056 File Visible: - Signed: - Status: - Name: GEARAspiWDM.sys Image Path: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys Address: 0xB8450000 Size: 21120 File Visible: - Signed: - Status: - Name: hal.dll Image Path: C:\WINDOWS\system32\hal.dll Address: 0x806E4000 Size: 134400 File Visible: - Signed: - Status: - Name: HDAudBus.sys Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys Address: 0xB6672000 Size: 163840 File Visible: - Signed: - Status: - Name: HIDCLASS.SYS Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS Address: 0xAD962000 Size: 36864 File Visible: - Signed: - Status: - Name: HIDPARSE.SYS Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS Address: 0xAE92E000 Size: 28672 File Visible: - Signed: - Status: - Name: hidusb.sys Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys Address: 0xAD2F9000 Size: 10368 File Visible: - Signed: - Status: - Name: HTTP.sys Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys Address: 0xA1DFC000 Size: 265728 File Visible: - Signed: - Status: - Name: i8042prt.sys Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys Address: 0xB8238000 Size: 52480 File Visible: - Signed: - Status: - Name: imapi.sys Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys Address: 0xB8248000 Size: 42112 File Visible: - Signed: - Status: - Name: intelppm.sys Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys Address: 0xB8218000 Size: 36352 File Visible: - Signed: - Status: - Name: ipnat.sys Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys Address: 0xA81F8000 Size: 152832 File Visible: - Signed: - Status: - Name: ipsec.sys Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys Address: 0xA82C7000 Size: 75264 File Visible: - Signed: - Status: - Name: isapnp.sys Image Path: isapnp.sys Address: 0xB80A8000 Size: 37248 File Visible: - Signed: - Status: - Name: JGOGO.sys Image Path: JGOGO.sys Address: 0xB85AC000 Size: 6912 File Visible: - Signed: - Status: - Name: jraid.sys Image Path: jraid.sys Address: 0xB80F8000 Size: 43648 File Visible: - Signed: - Status: - Name: kbdclass.sys Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys Address: 0xB8438000 Size: 24576 File Visible: - Signed: - Status: - Name: KDCOM.DLL Image Path: C:\WINDOWS\system32\KDCOM.DLL Address: 0xB85A8000 Size: 8192 File Visible: - Signed: - Status: - Name: ks.sys Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys Address: 0xB669A000 Size: 143360 File Visible: - Signed: - Status: - Name: KSecDD.sys Image Path: KSecDD.sys Address: 0xB7EB7000 Size: 92928 File Visible: - Signed: - Status: - Name: Lbd.sys Image Path: Lbd.sys Address: 0xB8128000 Size: 57472 File Visible: - Signed: - Status: - Name: mnmdd.SYS Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS Address: 0xB8662000 Size: 4224 File Visible: - Signed: - Status: - Name: Modem.SYS Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS Address: 0xB8458000 Size: 30080 File Visible: - Signed: - Status: - Name: mouclass.sys Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys Address: 0xB8478000 Size: 23040 File Visible: - Signed: - Status: - Name: mouhid.sys Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys Address: 0xAD2F5000 Size: 12160 File Visible: - Signed: - Status: - Name: MountMgr.sys Image Path: MountMgr.sys Address: 0xB80D8000 Size: 42368 File Visible: - Signed: - Status: - Name: mrxdav.sys Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys Address: 0xA1F2D000 Size: 180608 File Visible: - Signed: - Status: - Name: mrxsmb.sys Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys Address: 0xA813B000 Size: 455680 File Visible: - Signed: - Status: - Name: Msfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS Address: 0xAE93E000 Size: 19072 File Visible: - Signed: - Status: - Name: msgpc.sys Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys Address: 0xB7AA6000 Size: 35072 File Visible: - Signed: - Status: - Name: mssmbios.sys Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys Address: 0xB70EE000 Size: 15488 File Visible: - Signed: - Status: - Name: Mup.sys Image Path: Mup.sys Address: 0xB7DE3000 Size: 105344 File Visible: - Signed: - Status: - Name: NDIS.sys Image Path: NDIS.sys Address: 0xB7DFD000 Size: 182656 File Visible: - Signed: - Status: - Name: ndistapi.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys Address: 0xB855C000 Size: 10112 File Visible: - Signed: - Status: - Name: ndisuio.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys Address: 0xB85A0000 Size: 14592 File Visible: - Signed: - Status: - Name: ndiswan.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys Address: 0xB6543000 Size: 91520 File Visible: - Signed: - Status: - Name: NDProxy.SYS Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS Address: 0xB81D8000 Size: 40576 File Visible: - Signed: - Status: - Name: netbios.sys Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys Address: 0xAD992000 Size: 34688 File Visible: - Signed: - Status: - Name: netbt.sys Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys Address: 0xA821E000 Size: 162816 File Visible: - Signed: - Status: - Name: nic1394.sys Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys Address: 0xB8278000 Size: 61824 File Visible: - Signed: - Status: - Name: Npfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS Address: 0xAE936000 Size: 30848 File Visible: - Signed: - Status: - Name: Ntfs.sys Image Path: Ntfs.sys Address: 0xB7E2A000 Size: 574976 File Visible: - Signed: - Status: - Name: ntkrnlpa.exe Image Path: C:\WINDOWS\system32\ntkrnlpa.exe Address: 0x804D7000 Size: 2150400 File Visible: - Signed: - Status: - Name: Null.SYS Image Path: C:\WINDOWS\System32\Drivers\Null.SYS Address: 0xAD1EE000 Size: 2944 File Visible: - Signed: - Status: - Name: nv4_disp.dll Image Path: C:\WINDOWS\System32\nv4_disp.dll Address: 0xBD012000 Size: 6361088 File Visible: - Signed: - Status: - Name: nv4_mini.sys Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys Address: 0xB6709000 Size: 10276768 File Visible: - Signed: - Status: - Name: nvata.sys Image Path: nvata.sys Address: 0xB7F18000 Size: 100736 File Visible: - Signed: - Status: - Name: NVENETFD.sys Image Path: C:\WINDOWS\system32\DRIVERS\NVENETFD.sys Address: 0xB7662000 Size: 54784 File Visible: - Signed: - Status: - Name: nvnetbus.sys Image Path: C:\WINDOWS\system32\DRIVERS\nvnetbus.sys Address: 0xB8288000 Size: 40960 File Visible: - Signed: - Status: - Name: NVNRM.SYS Image Path: C:\WINDOWS\system32\DRIVERS\NVNRM.SYS Address: 0xB6588000 Size: 958464 File Visible: - Signed: - Status: - Name: ohci1394.sys Image Path: ohci1394.sys Address: 0xB80B8000 Size: 61696 File Visible: - Signed: - Status: - Name: parport.sys Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys Address: 0xB66E1000 Size: 80128 File Visible: - Signed: - Status: - Name: PartMgr.sys Image Path: PartMgr.sys Address: 0xB8330000 Size: 19712 File Visible: - Signed: - Status: - Name: ParVdm.SYS Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS Address: 0xB8646000 Size: 6784 File Visible: - Signed: - Status: - Name: pci.sys Image Path: pci.sys Address: 0xB7F68000 Size: 68224 File Visible: - Signed: - Status: - Name: pciide.sys Image Path: pciide.sys Address: 0xB8670000 Size: 3328 File Visible: - Signed: - Status: - Name: PCIIDEX.SYS Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Address: 0xB8328000 Size: 28672 File Visible: - Signed: - Status: - Name: PdiPorts.sys Image Path: C:\WINDOWS\System32\Drivers\PdiPorts.sys Address: 0xB70F2000 Size: 8960 File Visible: - Signed: - Status: - Name: pfc.sys Image Path: C:\WINDOWS\system32\drivers\pfc.sys Address: 0xB8554000 Size: 9856 File Visible: - Signed: - Status: - Name: PnpManager Image Path: \Driver\PnpManager Address: 0x804D7000 Size: 2150400 File Visible: - Signed: - Status: - Name: portcls.sys Image Path: C:\WINDOWS\system32\drivers\portcls.sys Address: 0xA82FA000 Size: 147456 File Visible: - Signed: - Status: - Name: psched.sys Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys Address: 0xB6532000 Size: 69120 File Visible: - Signed: - Status: - Name: ptilink.sys Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys Address: 0xB8468000 Size: 17792 File Visible: - Signed: - Status: - Name: PxHelp20.sys Image Path: PxHelp20.sys Address: 0xB8138000 Size: 36320 File Visible: - Signed: - Status: - Name: rasacd.sys Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys Address: 0xAFB98000 Size: 8832 File Visible: - Signed: - Status: - Name: rasl2tp.sys Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys Address: 0xB82A8000 Size: 51328 File Visible: - Signed: - Status: - Name: raspppoe.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys Address: 0xB7AC6000 Size: 41472 File Visible: - Signed: - Status: - Name: raspptp.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys Address: 0xB7AB6000 Size: 48384 File Visible: - Signed: - Status: - Name: raspti.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys Address: 0xB8470000 Size: 16512 File Visible: - Signed: - Status: - Name: RAW Image Path: \FileSystem\RAW Address: 0x804D7000 Size: 2150400 File Visible: - Signed: - Status: - Name: rdbss.sys Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys Address: 0xA81AB000 Size: 175744 File Visible: - Signed: - Status: - Name: RDPCDD.sys Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys Address: 0xB8664000 Size: 4224 File Visible: - Signed: - Status: - Name: redbook.sys Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys Address: 0xB8268000 Size: 57600 File Visible: - Signed: - Status: - Name: RootMdm.sys Image Path: C:\WINDOWS\System32\Drivers\RootMdm.sys Address: 0xB85F6000 Size: 5888 File Visible: - Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA044A000 Size: 49152 File Visible: No Signed: - Status: - Name: RtkHDAud.sys Image Path: C:\WINDOWS\system32\drivers\RtkHDAud.sys Address: 0xA831E000 Size: 4225920 File Visible: - Signed: - Status: - Name: SCSIPORT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS Address: 0xB7F00000 Size: 98304 File Visible: - Signed: - Status: - Name: serenum.sys Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys Address: 0xB8550000 Size: 15744 File Visible: - Signed: - Status: - Name: serial.sys Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys Address: 0xB8228000 Size: 64512 File Visible: - Signed: - Status: - Name: sr.sys Image Path: sr.sys Address: 0xB7ECE000 Size: 73472 File Visible: - Signed: - Status: - Name: srv.sys Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys Address: 0xA1D55000 Size: 353792 File Visible: - Signed: - Status: - Name: swenum.sys Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys Address: 0xB85F8000 Size: 4352 File Visible: - Signed: - Status: - Name: sysaudio.sys Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys Address: 0xAA866000 Size: 60800 File Visible: - Signed: - Status: - Name: tcpip.sys Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys Address: 0xA826E000 Size: 361600 File Visible: - Signed: - Status: - Name: TDI.SYS Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS Address: 0xB8460000 Size: 20480 File Visible: - Signed: - Status: - Name: termdd.sys Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys Address: 0xB7A96000 Size: 40704 File Visible: - Signed: - Status: - Name: update.sys Image Path: C:\WINDOWS\system32\DRIVERS\update.sys Address: 0xB64D4000 Size: 384768 File Visible: - Signed: - Status: - Name: USBD.SYS Image Path: C:\WINDOWS\system32\drivers\USBD.SYS Address: 0xB85F4000 Size: 8192 File Visible: - Signed: - Status: - Name: usbehci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys Address: 0xB8448000 Size: 30208 File Visible: - Signed: - Status: - Name: usbhub.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys Address: 0xAD9B2000 Size: 59520 File Visible: - Signed: - Status: - Name: usbohci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys Address: 0xB8440000 Size: 17152 File Visible: - Signed: - Status: - Name: USBPORT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS Address: 0xB66BD000 Size: 147456 File Visible: - Signed: - Status: - Name: vga.sys Image Path: C:\WINDOWS\System32\drivers\vga.sys Address: 0xAE946000 Size: 20992 File Visible: - Signed: - Status: - Name: VIDEOPRT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS Address: 0xB66F5000 Size: 81920 File Visible: - Signed: - Status: - Name: VolSnap.sys Image Path: VolSnap.sys Address: 0xB80E8000 Size: 52352 File Visible: - Signed: - Status: - Name: wanarp.sys Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys Address: 0xAD9A2000 Size: 34560 File Visible: - Signed: - Status: - Name: watchdog.sys Image Path: C:\WINDOWS\System32\watchdog.sys Address: 0xA2BC7000 Size: 20480 File Visible: - Signed: - Status: - Name: wdmaud.sys Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys Address: 0xA224C000 Size: 83072 File Visible: - Signed: - Status: - Name: Win32k Image Path: \Driver\Win32k Address: 0xBF800000 Size: 1851392 File Visible: - Signed: - Status: - Name: win32k.sys Image Path: C:\WINDOWS\System32\win32k.sys Address: 0xBF800000 Size: 1851392 File Visible: - Signed: - Status: - Name: windrvr6.sys Image Path: C:\WINDOWS\system32\drivers\windrvr6.sys Address: 0xB655A000 Size: 186592 File Visible: - Signed: - Status: - Name: WMILIB.SYS Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS Address: 0xB85AA000 Size: 8192 File Visible: - Signed: - Status: - Name: WMIxWDM Image Path: \Driver\WMIxWDM Address: 0x804D7000 Size: 2150400 File Visible: - Signed: - Status: - Name: ws2ifsl.sys Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys Address: 0xAD311000 Size: 12032 File Visible: - Signed: - Status: - defogger_disable by jpshortstuff (23.02.10.1) Log created at 20:50 on 02/05/2010 (Erin) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=-:

#7 JonTom

JonTom

    SuperHelper

  • Classroom Teacher
  • 5,198 posts

Posted 03 May 2010 - 11:55 AM

Hello ephillips

also re-ran ERUNT, DDs, Defogger, exehelper & the malwarebyte scans and have those logs as well if you need them.


Thank you for letting me know. I would like to see the logs that exehelper and MBAM produced. Please do not run anymore tools unless requested.

Also, please scan your system with DDS once more and post the log (along with exehelper and MBAM) in your next reply.

#8 ephillips

ephillips

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 03 May 2010 - 01:17 PM

Here is the MBAM, exehelper & DDS / Attach logs: Malwarebytes' Anti-Malware 1.28 Database version: 1159 Windows 5.1.2600 Service Pack 3 5/3/2010 3:14:10 PM mbam-log-2010-05-03 (15-14-10).txt Scan type: Quick Scan Objects scanned: 58512 Time elapsed: 7 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) exeHelper by Raktor Build 20100414 Run at 21:13:45 on 05/02/10 Now searching... Checking for numerical processes... Checking for sysguard processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- exeHelper by Raktor Build 20100414 Run at 22:17:47 on 05/02/10 Now searching... Checking for numerical processes... Checking for sysguard processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com DDS (Ver_09-06-26.01) - NTFSx86 Run by Erin at 15:05:21.93 on Mon 05/03/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1146 [GMT -4:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Common Files\Corel\Standby\Standby.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\PixArt\PAC207\Monitor.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Lexmark 5300 Series\lxdkmon.exe C:\Program Files\Lexmark 5300 Series\lxdkamon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Application Updater\ApplicationUpdater.exe C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Flip Video\FlipShare\FlipShareService.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdkserv.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\WINDOWS\system32\lxdkcoms.exe C:\WINDOWS\system32\PSIService.exe c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Documents and Settings\Erin\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://aol.com/ uInternet Settings,ProxyOverride = *.local uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\SearchSettings.dll BHO: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\ie\4.0.2\dealioToolbarIE.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\SearchSettings.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\ie\4.0.2\dealioToolbarIE.dll TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File EB: {E16DC1FE-7C34-43F2-B754-F3AD12DDF97C} - No File uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background uRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.4; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)" -"http://www.cartoonne...ack/index.html" mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START mRun: [SkyTel] SkyTel.EXE mRun: [SearchSettings] c:\program files\search settings\SearchSettings.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe mRun: [nwiz] nwiz.exe /installquiet mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe mRun: [lxdkmon.exe] "c:\program files\lexmark 5300 series\lxdkmon.exe" mRun: [lxdkamon] "c:\program files\lexmark 5300 series\lxdkamon.exe" mRun: [Lexmark 5300 Series Fax Server] "c:\program files\lexmark 5300 series\fm3032.exe" /s mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe mRun: [JMB36X Configure] c:\windows\system32\JMRaidSetup.exe boot mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [fadagohar] Rundll32.exe "c:\windows\system32\kabifoti.dll",a mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder mRun: [DACSMiniApp] c:\program files\fisher-price\dacs\miniapp\DACSMiniApp.exe mRun: [Corel File Shell Monitor] c:\program files\corel\corel paintshop photo pro\x3\pspclassic\CorelIOMonitor.exe mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe StartupFolder: c:\docume~1\erin\startm~1\programs\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe StartupFolder: c:\docume~1\erin\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE StartupFolder: c:\docume~1\erin\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE StartupFolder: c:\docume~1\erin\startm~1\programs\startup\picaboo.lnk - c:\program files\picaboo\picaboo\PicabooMain.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe dPolicies-explorer: NoSetActiveDesktop = 1 (0x1) IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq005.webiqonline.com/WebIQ/DataServer/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9} DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/binary/MJSS.cab69309.cab DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197724327218 DPF: {6BF35011-3AE5-44D3-A8BB-73ED462A0BC0} - hxxp://ezprints.mye-pix.com/software/ezuploader.cab DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://upload.smugmug.com/photos/activex/ImageUploader4-082807.cab DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - hxxp://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab DPF: {B87A4DE2-57A3-41CA-8781-89D43EA6EEF4} - hxxp://videomessages.live.com/Portal/ClientBin/VCaptCtl.cab DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe DPF: {D53A9247-2FEA-4E93-8EEE-9A9B07E8D760} - hxxp://www.ezprints.com/software/cropfit.cab DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - hxxp://messenger.zone.msn.com/binary/WoF.cab57176.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll AppInit_DLLs: wawavara.dll c:\windows\system32\kabifoti.dll c:\windows\system32\hedafatu.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SSODL: hugamunom - {592b04eb-0fcc-44a0-847b-5a47513fd919} - c:\windows\system32\hedafatu.dll SSODL: gobavivoj - {c9cac425-2a87-4d7b-a4b8-66798831dd86} - c:\windows\system32\hedafatu.dll SSODL: merojozus - {610a94d8-9e65-4e3d-8412-ac72ea780a1e} - c:\windows\system32\hedafatu.dll SSODL: muwarakos - {92ade6b1-c695-4db2-b6b2-caaa3e2237e1} - c:\windows\system32\hedafatu.dll SSODL: zamezakif - {63431ed0-8fe0-4fd2-8913-5d13302864de} - c:\windows\system32\kabifoti.dll STS: kupuhivus: {592b04eb-0fcc-44a0-847b-5a47513fd919} - c:\windows\system32\hedafatu.dll STS: jugezatag: {c9cac425-2a87-4d7b-a4b8-66798831dd86} - c:\windows\system32\hedafatu.dll STS: mujuzedij: {610a94d8-9e65-4e3d-8412-ac72ea780a1e} - c:\windows\system32\hedafatu.dll STS: kupuhivus: {92ade6b1-c695-4db2-b6b2-caaa3e2237e1} - c:\windows\system32\hedafatu.dll STS: tokatiluy: {63431ed0-8fe0-4fd2-8913-5d13302864de} - c:\windows\system32\kabifoti.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll LSA: Notification Packages = scecli jubimiso.dll ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-25 64160] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-2 335240] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-12-15 27784] R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2010-1-8 380928] R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-1 297752] R2 FlipShare Service;FlipShare Service;c:\program files\flip video\flipshare\FlipShareService.exe [2009-11-19 455944] R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-2-23 55152] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456] R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?] R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [2007-6-14 99248] R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512] S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360] S3 getPlusHelper;getPlus® Installer;c:\windows\system32\svchost.exe -k getPlusHelper [2006-2-28 14336] S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys --> c:\windows\system32\drivers\jl2005c.sys [?] S3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [2008-2-13 618112] =============== Created Last 30 ================ 2010-05-02 20:04 15 a------- c:\documents and settings\erin\settings.dat 2010-05-02 18:55 28 a------- c:\windows\v2d.INI 2010-05-02 18:41 <DIR> --d----- C:\v2d 2010-05-02 18:41 <DIR> --d----- c:\program files\Total Video2Dvd 2010-05-02 18:16 <DIR> --d----- c:\docume~1\erin\applic~1\Search Settings 2010-05-02 18:16 <DIR> --d----- c:\docume~1\erin\applic~1\Dealio 2010-05-02 18:16 <DIR> --d----- c:\program files\Search Settings 2010-05-02 18:16 <DIR> --d----- c:\program files\Dealio Toolbar 2010-05-02 18:16 <DIR> --d----- c:\program files\Application Updater 2010-05-02 18:16 152,848 a------- c:\windows\system32\COMDLG32.OCX 2010-05-02 18:16 141,312 a------- c:\windows\system32\MSCMCFR.DLL 2010-05-02 18:16 119,568 a------- c:\windows\system32\VB6FR.DLL 2010-05-02 18:16 101,888 a------- c:\windows\system32\VB6STKIT.DLL 2010-05-02 18:16 32,768 a------- c:\windows\system32\CMDLGFR.DLL 2010-05-02 18:16 15,360 a------- c:\windows\system32\inetfr.DLL 2010-05-02 18:16 <DIR> --d----- c:\docume~1\erin\applic~1\FreeBurner 2010-05-02 15:25 <DIR> --d----- c:\program files\3ivx 2010-04-28 23:36 411,368 a------- c:\windows\system32\deployJava1.dll 2010-04-28 21:29 40,960 a------- c:\windows\system32\ssubtmr6.dll 2010-04-28 21:29 36,864 a------- c:\windows\system32\trayicon_handler.ocx 2010-04-21 16:54 <DIR> --d----- c:\docume~1\erin\applic~1\HandBrake 2010-04-21 16:54 <DIR> --d----- c:\program files\Handbrake 2010-04-21 16:32 <DIR> --d----- c:\windows\system32\windows media 2010-04-21 16:28 <DIR> --d----- c:\program files\common files\Protexis 2010-04-21 16:23 <DIR> --d----- c:\program files\common files\Corel 2010-04-21 16:22 <DIR> --d----- c:\program files\Windows Media Components 2010-04-21 16:22 <DIR> --d----- c:\program files\common files\Ulead Systems 2010-04-21 16:22 3,734,536 a------- c:\windows\system32\d3dx9_36.dll 2010-04-21 16:22 1,374,232 a------- c:\windows\system32\D3DCompiler_36.dll 2010-04-21 16:22 444,776 a------- c:\windows\system32\d3dx10_36.dll 2010-04-21 16:22 267,272 a------- c:\windows\system32\xactengine2_10.dll 2010-04-21 16:22 1,358,192 a------- c:\windows\system32\D3DCompiler_35.dll 2010-04-21 16:22 444,776 a------- c:\windows\system32\d3dx10_35.dll 2010-04-21 16:22 267,112 a------- c:\windows\system32\xactengine2_9.dll 2010-04-18 20:15 <DIR> --d----- c:\program files\Flip Video 2010-04-18 16:02 <DIR> --d----- c:\docume~1\erin\applic~1\ImTOO 2010-04-18 15:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero 2010-04-18 13:46 1,761,280 a------- c:\windows\system32\ffdshow.ax 2010-04-18 13:46 262,144 a------- c:\windows\system32\TomsMoComp_ff.dll 2010-04-18 13:46 2,255,360 a------- c:\windows\system32\libavcodec.dll 2010-04-18 13:46 395,776 a------- c:\windows\system32\libmplayer.dll 2010-04-18 13:46 172,032 a------- c:\windows\system32\ac3filter.ax 2010-04-18 13:46 112,640 a------- c:\windows\system32\libmpeg2_ff.dll 2010-04-18 13:10 1,208,320 a------- c:\windows\system32\cygxml2-2.dll 2010-04-18 13:10 1,153,417 a------- c:\windows\system32\cygwin1.dll 2010-04-18 13:10 980,992 a------- c:\windows\system32\cygiconv-2.dll 2010-04-18 13:10 139,264 a------- c:\windows\system32\Mpeg2Decoder.ax 2010-04-18 13:10 94,208 a------- c:\windows\system32\Mpeg2Parser.ax 2010-04-18 13:10 62,464 a------- c:\windows\system32\cygz.dll 2010-04-18 13:10 <DIR> --d----- c:\program files\Cucusoft 2010-04-18 12:54 <DIR> --d----- c:\docume~1\erin\applic~1\AnvSoft 2010-04-13 17:51 <DIR> --d----- c:\docume~1\erin\applic~1\Windows Search 2010-04-09 16:48 3,600,384 a------- c:\windows\system32\GPhotos.scr ==================== Find3M ==================== 2010-05-03 08:29 5,018 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys 2010-05-03 08:29 248 ---shr-- c:\docume~1\alluse~1\applic~1\E27CF4E0CB.sys 2010-03-10 02:15 420,352 a------- c:\windows\system32\vbscript.dll 2010-03-08 08:41 15,688 a------- c:\windows\system32\lsdelete.exe 2010-02-25 02:24 916,480 a------- c:\windows\system32\wininet.dll 2010-02-16 10:08 2,146,304 a------- c:\windows\system32\ntoskrnl.exe 2010-02-16 09:25 2,024,448 a------- c:\windows\system32\ntkrnlpa.exe 2010-02-12 00:33 100,864 a------- c:\windows\system32\6to4svc.dll 2009-09-07 20:58 13,643 a------- c:\program files\common files\yhiqi.ban 2008-09-15 16:46 88 ---shr-- c:\windows\system32\E27CF4E0CB.sys 2008-09-15 16:46 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 15:05:54.10 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-06-26.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume1 Install Date: 12/15/2007 7:49:32 AM System Uptime: 5/3/2010 2:49:08 PM (1 hours ago) Motherboard: ASUSTeK Computer INC. | | P5N-E SLI Processor: Intel® Core™2 Duo CPU E6750 @ 2.66GHz | Socket 775 | 2666/333mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 233 GiB total, 160.527 GiB free. D: is CDROM () ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP1: 5/3/2010 2:56:38 PM - System Checkpoint ==== Installed Programs ====================== 3DVIA player 5.0 3ivx MPEG-4 5.0.3 (remove only) ABBYY FineReader 6.0 Sprint AC3Filter (remove only) Ad-Aware Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) Adobe AIR Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Photoshop 7.0 Adobe Reader 8.1.2 Adobe Reader 8.1.2 Security Update 1 (KB403742) Adobe Shockwave Player 11 American Greetings CreataCard Select 6 Apple Application Support Apple Mobile Device Support Apple Software Update AVG Free 8.5 Basic Webcam Bonjour Choice Guard Contents Corel PaintShop Photo Pro X3 Critical Update for Windows Media Player 11 (KB959772) Dealio Toolbar v4.0.2 Default DeviceIO Dora the Explorer La Casa de Dora Driver Detective DVD-CLONER V7.10 Build 992 ERUNT 1.1j Facebook Plug-In FlipShare getPlus® Download Manager for Corel High Definition Audio Driver Package - KB888111 Hotfix for Microsoft .NET Framework 3.0 (KB932471) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB915800-v4) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB954708) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) HP My Display ICA ImageDrive (Ahead Software) IPM_PSP_Pro iTunes Java Auto Updater Java™ 6 Update 20 Java™ 6 Update 7 JMB36X Raid Configurer Junk Mail filter update Lexmark 5300 Series Malwarebytes' Anti-Malware Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB953297) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Application Error Reporting Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office Access MUI (English) 2007 Microsoft Office Access Setup Metadata MUI (English) 2007 Microsoft Office Enterprise 2007 Microsoft Office Excel MUI (English) 2007 Microsoft Office Groove MUI (English) 2007 Microsoft Office Groove Setup Metadata MUI (English) 2007 Microsoft Office InfoPath MUI (English) 2007 Microsoft Office Live Add-in 1.3 Microsoft Office OneNote MUI (English) 2007 Microsoft Office Outlook Connector Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) Microsoft Office Publisher MUI (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Word MUI (English) 2007 Microsoft Search Enhancement Pack Microsoft Silverlight Microsoft Software Update for Web Folders (English) 12 Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Sync Framework Runtime Native v1.0 (x86) Microsoft Sync Framework Services Native v1.0 (x86) Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Web Publishing Wizard 1.52 MLE MSN MSVCRT MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) MSXML 4.0 SP2 Parser and SDK MSXML 6.0 Parser (KB933579) Nations Photo Lab ROES neroxml Netflix Movie Viewer NVIDIA Display Control Panel NVIDIA Drivers NVIDIA nView Desktop Manager Orb Runtime libraries Photo Viewer V2.4 Picasa 3 PSPH10Pro PSPPContent PSPPRO_DCRAW PureHD QuickTime Realtek High Definition Audio Driver SDK Search Settings v1.2.3 Security Update for 2007 Microsoft Office System (KB969559) Security Update for 2007 Microsoft Office System (KB978380) Security Update for Microsoft Office Excel 2007 (KB978382) Security Update for Microsoft Office Outlook 2007 (KB972363) Security Update for Microsoft Office PowerPoint 2007 (KB957789) Security Update for Microsoft Office Publisher 2007 (KB980470) Security Update for Microsoft Office system 2007 (972581) Security Update for Microsoft Office system 2007 (KB969613) Security Update for Microsoft Office system 2007 (KB974234) Security Update for Microsoft Office Visio Viewer 2007 (KB973709) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 7 (KB972260) Security Update for Windows Internet Explorer 7 (KB974455) Security Update for Windows Internet Explorer 7 (KB976325) Security Update for Windows Internet Explorer 7 (KB978207) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB978207) Security Update for Windows Internet Explorer 8 (KB981332) Security Update for Windows Media Encoder (KB954156) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB936782) Security Update for Windows Search 4 - KB963093 Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923789) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB971961) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977165) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB978706) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB980232) Segoe UI Setup Share Skype™ 4.0 Spybot - Search & Destroy The Digital Arts and Crafts Studio U.B. Funkeys Uninstall 1.0.0.1 Unity Web Player Update for 2007 Microsoft Office System (KB967642) Update for 2007 Microsoft Office System (KB981715) Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Microsoft Office 2007 Help for Common Features (KB963673) Update for Microsoft Office Access 2007 Help (KB963663) Update for Microsoft Office Excel 2007 Help (KB963678) Update for Microsoft Office InfoPath 2007 (KB976416) Update for Microsoft Office Infopath 2007 Help (KB963662) Update for Microsoft Office OneNote 2007 (KB980729) Update for Microsoft Office OneNote 2007 Help (KB963670) Update for Microsoft Office Outlook 2007 Help (KB963677) Update for Microsoft Office Powerpoint 2007 Help (KB963669) Update for Microsoft Office Publisher 2007 Help (KB963667) Update for Microsoft Office Script Editor Help (KB963671) Update for Microsoft Office Word 2007 (KB974561) Update for Microsoft Office Word 2007 Help (KB963665) Update for Microsoft Windows (KB971513) Update for Outlook 2007 Junk Email Filter (kb981433) Update for Windows Internet Explorer 7 (KB976749) Update for Windows Internet Explorer 8 (KB976662) Update for Windows Internet Explorer 8 (KB980182) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB955839) Update for Windows XP (KB961503) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) VIO Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WebFldrs XP WebIQ Technology Engine WinAce Archiver Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray Windows Genuine Advantage Validation Tool (KB892130) Windows Imaging Component Windows Internet Explorer 7 Windows Internet Explorer 8 Windows Live Communications Platform Windows Live Essentials Windows Live Family Safety Windows Live Mail Windows Live Photo Gallery Windows Live Sign-in Assistant Windows Live Toolbar Windows Live Writer Windows Media Encoder 9 Series Windows Media Format 11 runtime Windows Media Format SDK Hotfix - KB891122 Windows Media Player 11 Windows Media Player 9 Series TweakMP PowerToy Windows Movie Maker 2.0 Windows Presentation Foundation Windows Search 4.0 Windows XP Service Pack 3 Winkflash Transporter XML Paper Specification Shared Components Pack 1.0 ==== Event Viewer Messages From Past Week ======== 5/3/2010 9:40:40 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:. 5/3/2010 9:07:57 AM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 001D60BA3376 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message). 5/2/2010 8:25:05 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found. 5/2/2010 8:01:50 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s). ==== End Of File =========================== THANK YOU

#9 JonTom

JonTom

    SuperHelper

  • Classroom Teacher
  • 5,198 posts

Posted 03 May 2010 - 06:10 PM

Hello ephillips

Thank you for the logs.

Please work your way through the following steps. If you encounter any difficulties, come back and let me know.

  • Download Combofix and RE-NAME it BEFORE saving


  • Download Combofix from either of the links below. You must rename it to ephillips.exe before saving it.
  • Save it to your desktop. Change the "save as file type" to "all files".
  • Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.


  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


Link 1
Link 2



  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


  • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.


  • Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.


#10 ephillips

ephillips

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 04 May 2010 - 08:16 PM

ComboFix 10-05-04.03 - Erin 05/04/2010 21:18:01.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1299 [GMT -4:00]
Running from: c:\documents and settings\Erin\Desktop\ephillips.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Dealio Toolbar
c:\program files\Dealio Toolbar\IE\4.0.2\config.ini
c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll
c:\program files\Dealio Toolbar\Res\amazon.gif
c:\program files\Dealio Toolbar\Res\apple.gif
c:\program files\Dealio Toolbar\Res\barnes.gif
c:\program files\Dealio Toolbar\Res\bestbuy.gif
c:\program files\Dealio Toolbar\Res\dealio_logo.gif
c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\Res\ebay.gif
c:\program files\Dealio Toolbar\Res\icon_settings.gif
c:\program files\Dealio Toolbar\Res\macys.gif
c:\program files\Dealio Toolbar\Res\newegg.gif
c:\program files\Dealio Toolbar\Res\overstock.gif
c:\program files\Dealio Toolbar\Res\search-button-hover.gif
c:\program files\Dealio Toolbar\Res\search-button.gif
c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files\Dealio Toolbar\Res\search-chevron.gif
c:\program files\Dealio Toolbar\Res\search_amazon.gif
c:\program files\Dealio Toolbar\Res\search_dealio.gif
c:\program files\Dealio Toolbar\Res\search_ebay.gif
c:\program files\Dealio Toolbar\Res\search_yahoo.gif
c:\program files\Dealio Toolbar\Res\target.gif
c:\program files\Dealio Toolbar\Res\walmart.gif
c:\program files\Dealio Toolbar\Res\widgets.xml
c:\program files\Dealio Toolbar\WidgiHelper.exe
c:\program files\Search Settings
c:\program files\Search Settings\SeARchsettings.dll
c:\program files\Search Settings\SearchSettings.exe
c:\program files\Search Settings\SearchSettingsRes409.dll
c:\windows\system32\hedafatu.dll
c:\windows\Tasks.\aurwolai.job
c:\windows\Tasks.\aurwolai.job . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.

2010-05-05 01:48 . 2010-05-05 01:48 -------- d-----w- c:\windows\system32\Lang
2010-05-03 00:04 . 2010-05-03 00:04 15 ----a-w- c:\documents and settings\Erin\settings.dat
2010-05-02 22:41 . 2010-05-02 22:55 -------- d-----w- C:\v2d
2010-05-02 22:41 . 2010-05-02 22:58 -------- d-----w- c:\program files\Total Video2Dvd
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\documents and settings\Erin\Application Data\Search Settings
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\documents and settings\Erin\Application Data\Dealio
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\program files\Application Updater
2010-05-02 22:16 . 2000-10-01 21:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2010-05-02 22:16 . 1999-03-25 21:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-05-02 22:16 . 1998-07-13 01:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2010-05-02 22:16 . 1998-07-13 01:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2010-05-02 22:16 . 1998-07-12 21:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\documents and settings\Erin\Application Data\FreeBurner
2010-05-02 19:25 . 2010-05-02 19:25 -------- d-----w- c:\program files\3ivx
2010-04-29 13:26 . 2010-04-29 13:27 -------- d-----w- c:\program files\ERUNT
2010-04-29 03:36 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 01:29 . 2003-01-26 17:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2010-04-21 20:54 . 2010-04-21 20:54 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\HandBrake
2010-04-21 20:54 . 2010-04-21 20:54 -------- d-----w- c:\documents and settings\Erin\Application Data\HandBrake
2010-04-21 20:54 . 2010-04-29 03:46 -------- d-----w- c:\program files\Handbrake
2010-04-21 20:32 . 2010-04-21 20:32 -------- d-----w- c:\windows\system32\windows media
2010-04-21 20:28 . 2010-04-21 20:28 -------- d-----w- c:\program files\Common Files\Protexis
2010-04-21 20:26 . 2010-04-21 20:56 -------- d-----w- c:\documents and settings\Erin\Application Data\Corel
2010-04-21 20:23 . 2010-04-21 20:27 -------- d-----w- c:\program files\Common Files\Corel
2010-04-21 20:22 . 2010-04-21 20:22 -------- d-----w- c:\program files\Windows Media Components
2010-04-21 20:22 . 2010-04-21 20:22 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-04-21 20:22 . 2007-10-22 07:39 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2010-04-21 20:22 . 2007-10-12 19:14 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2010-04-21 20:22 . 2007-10-12 19:14 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2010-04-21 20:22 . 2007-10-02 13:56 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2010-04-21 20:22 . 2007-07-20 04:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2010-04-21 20:22 . 2007-07-19 22:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2010-04-21 20:22 . 2007-07-19 22:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll
2010-04-21 17:14 . 2010-04-21 20:33 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\NOS
2010-04-19 00:15 . 2010-04-19 00:15 -------- d-----w- c:\program files\Flip Video
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\ImTOO
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\documents and settings\Erin\Application Data\ImTOO
2010-04-18 19:31 . 2010-04-18 19:32 -------- d-----w- c:\documents and settings\Erin\Application Data\Nero
2010-04-18 19:30 . 2010-04-18 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-04-18 17:46 . 2004-10-12 18:42 262144 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2010-04-18 17:46 . 2004-10-12 18:40 2255360 ----a-w- c:\windows\system32\libavcodec.dll
2010-04-18 17:46 . 2004-10-05 20:16 395776 ----a-w- c:\windows\system32\libmplayer.dll
2010-04-18 17:46 . 2004-10-04 05:50 112640 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2010-04-18 17:10 . 2010-04-18 17:46 -------- d-----w- c:\program files\Cucusoft
2010-04-18 17:10 . 2004-05-26 14:07 1153417 ----a-w- c:\windows\system32\cygwin1.dll
2010-04-18 17:10 . 2004-05-13 22:39 1208320 ----a-w- c:\windows\system32\cygxml2-2.dll
2010-04-18 17:10 . 2003-12-04 15:03 62464 ----a-w- c:\windows\system32\cygz.dll
2010-04-18 17:10 . 2003-08-11 08:59 980992 ----a-w- c:\windows\system32\cygiconv-2.dll
2010-04-18 16:54 . 2010-04-18 16:54 -------- d-----w- c:\documents and settings\Erin\Application Data\AnvSoft
2010-04-15 07:00 . 2010-04-15 07:00 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-04-14 11:40 . 2010-04-14 11:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-13 21:51 . 2010-04-13 21:51 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Search
2010-04-09 20:48 . 2010-04-09 20:48 3600384 ----a-w- c:\windows\system32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 12:35 . 2007-12-15 15:34 -------- d-----w- c:\program files\Google
2010-05-03 12:29 . 2008-09-24 20:28 5018 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-03 12:29 . 2008-09-24 20:28 248 --sh--r- c:\documents and settings\All Users\Application Data\E27CF4E0CB.sys
2010-05-03 00:22 . 2010-01-27 21:33 -------- d-----w- c:\program files\LimeWire
2010-05-03 00:00 . 2007-12-15 15:47 -------- d-----w- c:\program files\WinAce
2010-05-02 22:51 . 2007-12-15 13:09 105752 ----a-w- c:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 17:52 . 2008-04-14 15:23 -------- d-----w- c:\program files\Infogrames Interactive
2010-05-02 17:52 . 2007-12-15 13:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 15:37 . 2009-10-15 21:04 -------- d-----w- c:\program files\Orb Networks
2010-04-30 19:50 . 2008-09-16 19:48 -------- d-----w- c:\program files\SpywareGuard
2010-04-29 11:32 . 2009-01-16 20:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 04:01 . 2009-03-25 11:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2010-04-29 03:46 . 2007-12-25 14:23 -------- d-----w- c:\program files\Kids Cam Show and Share Creativity Center
2010-04-29 03:36 . 2008-01-01 21:19 -------- d-----w- c:\program files\Java
2010-04-21 23:56 . 2008-07-02 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-04-21 20:32 . 2008-08-13 19:21 -------- d-----w- c:\documents and settings\Erin\Application Data\Ulead Systems
2010-04-21 20:31 . 2008-08-13 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-04-21 20:31 . 2008-10-26 23:05 -------- d-----w- c:\program files\Corel
2010-04-21 20:30 . 2008-08-15 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-04-21 17:31 . 2009-07-26 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-21 17:14 . 2009-07-26 14:55 -------- d-----w- c:\program files\NOS
2010-04-15 07:04 . 2007-12-16 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-07 17:17 . 2008-09-15 12:22 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 12:45 . 2010-03-30 04:24 -------- d-----w- c:\program files\Windows Desktop Search
2010-03-30 04:32 . 2010-03-30 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-03-30 04:32 . 2010-03-30 04:32 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-30 04:24 . 2010-03-30 04:24 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Desktop Search
2010-03-30 03:57 . 2008-03-08 16:09 -------- d-----w- c:\program files\Dvd-cloner
2010-03-25 04:32 . 2008-03-05 10:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ThumbnailCache4R
2010-03-24 14:49 . 2010-02-11 02:20 -------- d-----w- c:\documents and settings\Erin\Application Data\Facebook
2010-03-18 20:33 . 2010-03-18 20:33 7750617 ----a-w- c:\documents and settings\All Users\SPL55.tmp
2010-03-11 21:39 . 2010-03-11 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 02:32 . 2010-03-09 02:32 -------- d-----w- c:\documents and settings\Erin\Application Data\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2010-03-09 02:32 . 2010-03-09 02:32 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-09 02:30 . 2010-03-08 19:41 -------- d-----w- c:\program files\MyPublisher
2010-03-08 19:29 . 2008-10-09 03:19 -------- d-----w- c:\program files\BookSmart
2010-03-08 12:41 . 2009-09-08 01:27 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-02-28 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-09-08 00:58 . 2009-09-08 00:58 13643 ----a-w- c:\program files\Common Files\yhiqi.ban
2008-09-15 20:46 . 2008-08-15 12:15 88 --sh--r- c:\windows\system32\E27CF4E0CB.sys
2008-09-15 20:46 . 2008-08-15 12:11 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2010-04-14 524944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-04-14 105632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-22 455344]
"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]
"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" [2007-06-22 307888]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2008-03-13 128256]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-08 524632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-21 113664]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 12:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdkcoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkwbgw.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\frun.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/25/2009 7:40 AM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/2/2008 12:44 PM 335240]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/8/2010 12:51 AM 380928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 5:16 PM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [6/14/2007 4:15 AM 99248]
S3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [2/13/2008 2:17 PM 618112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {6BF35011-3AE5-44D3-A8BB-73ED462A0BC0} - hxxp://ezprints.mye-pix.com/software/ezuploader.cab
DPF: {B87A4DE2-57A3-41CA-8781-89D43EA6EEF4} - hxxp://videomessages.live.com/Portal/ClientBin/VCaptCtl.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
DPF: {D53A9247-2FEA-4E93-8EEE-9A9B07E8D760} - hxxp://www.ezprints.com/software/cropfit.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll
Toolbar-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-fadagohar - c:\windows\system32\kabifoti.dll
HKLM-Run-Corel File Shell Monitor - c:\program files\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
SharedTaskScheduler-{592b04eb-0fcc-44a0-847b-5a47513fd919} - c:\windows\system32\hedafatu.dll
SharedTaskScheduler-{c9cac425-2a87-4d7b-a4b8-66798831dd86} - c:\windows\system32\hedafatu.dll
SharedTaskScheduler-{610a94d8-9e65-4e3d-8412-ac72ea780a1e} - c:\windows\system32\hedafatu.dll
SharedTaskScheduler-{92ade6b1-c695-4db2-b6b2-caaa3e2237e1} - c:\windows\system32\hedafatu.dll
SharedTaskScheduler-{63431ed0-8fe0-4fd2-8913-5d13302864de} - c:\windows\system32\kabifoti.dll
SSODL-hugamunom-{592b04eb-0fcc-44a0-847b-5a47513fd919} - c:\windows\system32\hedafatu.dll
SSODL-gobavivoj-{c9cac425-2a87-4d7b-a4b8-66798831dd86} - c:\windows\system32\hedafatu.dll
SSODL-merojozus-{610a94d8-9e65-4e3d-8412-ac72ea780a1e} - c:\windows\system32\hedafatu.dll
SSODL-muwarakos-{92ade6b1-c695-4db2-b6b2-caaa3e2237e1} - c:\windows\system32\hedafatu.dll
SSODL-zamezakif-{63431ed0-8fe0-4fd2-8913-5d13302864de} - c:\windows\system32\kabifoti.dll
AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Ahead\nero\uninstall\UNNERO.exe
AddRemove-NeroVision!UninstallKey - c:\windows\UNNeroVision.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-Uninstall_is1 - c:\program files\Common Files\DVDVideoSoft\unins000.exe
AddRemove-WinAce Archiver - c:\program files\WinAce\SXUNINST.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 21:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-1409082233-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1492)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdkcoms.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\Microsoft Office\Office12\ONENOTEM.EXE
.
**************************************************************************
.
Completion time: 2010-05-04 22:02:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-05 02:02
ComboFix2.txt 2009-01-31 15:21
ComboFix3.txt 2009-01-16 19:45
ComboFix4.txt 2009-01-16 18:07
ComboFix5.txt 2010-05-05 01:17

Pre-Run: 172,081,438,720 bytes free
Post-Run: 173,642,485,760 bytes free

- - End Of File - - B29A6EEC321CF5AD9658855E0BB2EF68

#11 JonTom

JonTom

    SuperHelper

  • Classroom Teacher
  • 5,198 posts

Posted 05 May 2010 - 05:18 PM

Hello ephillips

Thank you for the log. Before we continue, I would like to take a closer look at some files on your machine.

Please work your way through the following steps:

  • Please run the following Command


    • Click on "Start" and then on "Run".
    • Copy and Paste the following command into the Run box:


    cmd /c del /f/a/q "c:\windows\Tasks.\aurwolai.job"



    • Click on "OK".

  • Please make all files and folders VISIBLE:


    • Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
    • Choose to "Show hidden files and folders."
    • Uncheck the "Hide protected operating system files" and the "Hide extensions for know file types" boxes.
    • Close the window with "OK".

  • Please scan the following files


    • Please visit Virus Total by clicking here.
    • Click the Browse button and search for the following file: c:\program files\Common Files\yhiqi.ban
    • Click Open.
    • Then click Send File.
    • Please be patient while the file is scanned.
    • If Virus Total tells you that the file has already been scanned, click "reanalyse now".

    • Once the scan results appear, copy and paste them into Notepad and repeat the procedure for the following file(s):

    c:\documents and settings\All Users\SPL55.tmp

    • Please provide the results from the scans in your next reply.


#12 ephillips

ephillips

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 05 May 2010 - 07:30 PM

File yhiqi.ban received on 2010.05.06 01:25:06 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/41 (0%) Loading server information... Your file is queued in position: 1. Estimated start time is between 38 and 55 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.50 2010.05.06 - AhnLab-V3 2010.05.05.00 2010.05.05 - AntiVir 8.2.1.236 2010.05.05 - Antiy-AVL 2.0.3.7 2010.05.05 - Authentium 5.2.0.5 2010.05.06 - Avast 4.8.1351.0 2010.05.05 - Avast5 5.0.332.0 2010.05.05 - AVG 9.0.0.787 2010.05.05 - BitDefender 7.2 2010.05.06 - CAT-QuickHeal 10.00 2010.05.04 - ClamAV 0.96.0.3-git 2010.05.05 - Comodo 4775 2010.05.06 - DrWeb 5.0.2.03300 2010.05.06 - eSafe 7.0.17.0 2010.05.05 - eTrust-Vet 35.2.7470 2010.05.05 - F-Prot 4.5.1.85 2010.05.05 - F-Secure 9.0.15370.0 2010.05.06 - Fortinet 4.0.14.0 2010.05.05 - GData 21 2010.05.06 - Ikarus T3.1.1.84.0 2010.05.06 - Jiangmin 13.0.900 2010.05.05 - Kaspersky 7.0.0.125 2010.05.06 - McAfee 5.400.0.1158 2010.05.06 - McAfee-GW-Edition 2010.1 2010.05.05 - Microsoft 1.5703 2010.05.05 - NOD32 5089 2010.05.05 - Norman 6.04.12 2010.05.05 - nProtect 2010-05-05.01 2010.05.05 - Panda 10.0.2.7 2010.05.05 - PCTools 7.0.3.5 2010.05.05 - Prevx 3.0 2010.05.06 - Rising 22.46.02.03 2010.05.05 - Sophos 4.53.0 2010.05.06 - Sunbelt 6265 2010.05.06 - Symantec 20091.2.0.41 2010.05.05 - TheHacker 6.5.2.0.275 2010.05.03 - TrendMicro 9.120.0.1004 2010.05.05 - TrendMicro-HouseCall 9.120.0.1004 2010.05.06 - VBA32 3.12.12.4 2010.05.05 - ViRobot 2010.5.4.2303 2010.05.05 - VirusBuster 5.0.27.0 2010.05.05 - Additional information File size: 13643 bytes MD5...: 66b636a4e913d20efbb6366ab8b4aa17 SHA1..: 2dd5d4e045cfc877abc231724b16e633a5ff6bb0 SHA256: 24ca68d22cc54c11d9e4d4f5b219f0617e81ae0ff93515e34e15ba937d55389b ssdeep: 384:1ReVN3oX97kUTCsbmF20AaZcA8UDZJGHyXNOa:1R8JoXGVSyZBNJiyXNOa PEiD..: - PEInfo: - RDS...: NSRL Reference Data Set - trid..: MPEG Video (100.0%) sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned pdfid.: - File SPL55.tmp received on 2010.05.06 01:28:28 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/41 (0%) Loading server information... Your file is queued in position: ___. Estimated start time is between ___ and ___ . Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.50 2010.05.06 - AhnLab-V3 2010.05.05.00 2010.05.05 - AntiVir 8.2.1.236 2010.05.05 - Antiy-AVL 2.0.3.7 2010.05.05 - Authentium 5.2.0.5 2010.05.06 - Avast 4.8.1351.0 2010.05.05 - Avast5 5.0.332.0 2010.05.05 - AVG 9.0.0.787 2010.05.05 - BitDefender 7.2 2010.05.06 - CAT-QuickHeal 10.00 2010.05.04 - ClamAV 0.96.0.3-git 2010.05.05 - Comodo 4775 2010.05.06 - DrWeb 5.0.2.03300 2010.05.06 - eSafe 7.0.17.0 2010.05.05 - eTrust-Vet 35.2.7470 2010.05.05 - F-Prot 4.5.1.85 2010.05.05 - F-Secure 9.0.15370.0 2010.05.06 - Fortinet 4.0.14.0 2010.05.05 - GData 21 2010.05.06 - Ikarus T3.1.1.84.0 2010.05.06 - Jiangmin 13.0.900 2010.05.05 - Kaspersky 7.0.0.125 2010.05.06 - McAfee 5.400.0.1158 2010.05.06 - McAfee-GW-Edition 2010.1 2010.05.05 - Microsoft 1.5703 2010.05.05 - NOD32 5089 2010.05.05 - Norman 6.04.12 2010.05.05 - nProtect 2010-05-05.01 2010.05.05 - Panda 10.0.2.7 2010.05.05 - PCTools 7.0.3.5 2010.05.05 - Prevx 3.0 2010.05.06 - Rising 22.46.02.03 2010.05.05 - Sophos 4.53.0 2010.05.06 - Sunbelt 6265 2010.05.06 - Symantec 20091.2.0.41 2010.05.05 - TheHacker 6.5.2.0.275 2010.05.03 - TrendMicro 9.120.0.1004 2010.05.05 - TrendMicro-HouseCall 9.120.0.1004 2010.05.06 - VBA32 3.12.12.4 2010.05.05 - ViRobot 2010.5.4.2303 2010.05.05 - VirusBuster 5.0.27.0 2010.05.05 - Additional information File size: 7750617 bytes MD5...: d20a6b8786b714f420cf0cca9f7c0ac5 SHA1..: d2e9388c7a7c879d89a69d11eded22d321ef842d SHA256: 9c243c402521c1b504f6c888fb83f95d11e716aadfa82cd9fe8bf47f4f2d6c53 ssdeep: 49152:2xApdDkFcnwaR2NzTHQQQpTgHmSDEfsVk0000000zawB:0ApdDkyw5ZQQC gH9k0000000ztB PEiD..: - PEInfo: - RDS...: NSRL Reference Data Set - pdfid.: - trid..: OpenGL object (49.9%) Lotus 123 Worksheet (generic) (25.0%) MacBinary 2 header (12.5%) BONK lossless/lossy audio compressor (12.4%) MS Flight Simulator Aircraft Performance Info (0.0%) sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned THANKS

#13 JonTom

JonTom

    SuperHelper

  • Classroom Teacher
  • 5,198 posts

Posted 06 May 2010 - 11:34 AM

Hello ephillips

Thank you for the scan logs.

  • Please work through the following steps


    • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
    • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
    • Copy and Paste the text in the quotebox below into the open Notepad window:

      File::
      c:\program files\Common Files\yhiqi.ban
      c:\documents and settings\All Users\SPL55.tmp

      Folder::
      c:\documents and settings\Erin\Application Data\Search Settings
      c:\documents and settings\Erin\Application Data\Dealio

      DirLook::
      c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

    • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
    • Close any open browsers.
    • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Refering to the picture below, drag CFScript.txt into ComboFix.exe

      Posted Image
    • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
    • Once the log is produced, re-engage your resident anti virus.

  • Clean out your temporary files


    • Please download ATF Cleaner by Atribune by clicking here and save the file (called ATF-Cleaner.exe) to your desktop.
    • Run the program by double clicking the ATF-Cleaner.exe icon located on your desktop.
    • Check the boxes to the left of the following:

    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Temporary Internet Files
    • Java Cache

    • The rest are optional. If you want to remove everything check the "Select All" box.
    • Click on "Empty Selected" to begin cleaning.
    • Once the "Done Cleaning" message appears, click OK.

    • If you use Firefox, Click on the Firefox tab and repeat the above process.
    • When you have finished cleaning, click on the "Exit" button in the main menu.

  • Please perform the following scan:


    • You have MalwareBytes AntiMalware installed.
    • Double click on your MalwareBytes AntiMalware icon to launch the program.
    • Click on the "Update" tab and then on "Check for Updates".
    • The program will now install the latest Malware definition files.
    • Once complete, click on the "Scanner" tab, select "Perform full scan"and then click on "Scan".
    • Once the program has scanned your computer, a log file will be created in Notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.


    • If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
    • The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
    • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
    • Come back here to this thread and Paste the log in your next reply.

  • Please perform the following scan:


    • This is a very deep scan that can take many hours. In some instances you may need to let it run overnight. Please be patient.


    • It is recommended that you disable your onboard antivirus program and antispyware programs while performing scans to eliminate software conflicts and to speed up scan time.
    • DO NOT surf the net while your resident protection is disabled!
    • Once the scan is finished remember to re-enable your resident antivirus protection along with whatever antispyware applications you use.


    • Please perform a Kaspersky Online Scan of your computer by clicking here or here.


    • Click on the Accept button and install any components it needs.
    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run (at times it may appear to stall).
    • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    • Once the scan is complete, click on View scan report. To obtain the report:
    • Click on: Save Report As
    • Next, in the Save as prompt, Save in area, select: Desktop
    • In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:Text file [*.txt]
    • Then, click: Save
    • Please post the Kaspersky Online Scanner Report in your reply.
    • If you need help performing the above steps, an animated tutorial can be found here.

    In your next reply please provide the ComboFix log, the MBAM log and the Kaspersky Online Scan log.

    Also, please describe how your machine is behaving now. Are you still experiencing problems?


#14 JonTom

JonTom

    SuperHelper

  • Classroom Teacher
  • 5,198 posts

Posted 09 May 2010 - 03:26 AM

Are you still with me?

#15 ephillips

ephillips

    Authentic Member

  • Authentic Member
  • PipPip
  • 39 posts

Posted 09 May 2010 - 08:32 AM

Yep, trying the deep scan again, it has shut down 3 times before completing it. The combofix went through with no issues to report, but I'll post the log here.
Thanks again.

ComboFix 10-05-05.0D - Erin 05/06/2010 16:58:00.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1319 [GMT -4:00]
Running from: c:\documents and settings\Erin\Desktop\ephillips.exe
Command switches used :: c:\documents and settings\Erin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\All Users\SPL55.tmp"
"c:\program files\Common Files\yhiqi.ban"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\SPL55.tmp
c:\documents and settings\Erin\Application Data\Dealio
c:\documents and settings\Erin\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Erin\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\documents and settings\Erin\Application Data\Search Settings
c:\documents and settings\Erin\Application Data\Search Settings\kb130\temp\ws-14731.log
c:\documents and settings\Erin\Application Data\Search Settings\kb130\temp\ws-14732.log
c:\documents and settings\Erin\Application Data\Search Settings\kb130\temp\ws-14733.log
c:\documents and settings\Erin\Application Data\Search Settings\kb130\temp\ws-14734.log
c:\program files\Common Files\yhiqi.ban

.
((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-05-05 01:48 . 2010-05-05 01:48 -------- d-----w- c:\windows\system32\Lang
2010-05-03 00:04 . 2010-05-03 00:04 15 ----a-w- c:\documents and settings\Erin\settings.dat
2010-05-02 22:41 . 2010-05-02 22:55 -------- d-----w- C:\v2d
2010-05-02 22:41 . 2010-05-02 22:58 -------- d-----w- c:\program files\Total Video2Dvd
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\program files\Application Updater
2010-05-02 22:16 . 2000-10-01 21:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2010-05-02 22:16 . 1999-03-25 21:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-05-02 22:16 . 1998-07-13 01:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2010-05-02 22:16 . 1998-07-13 01:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2010-05-02 22:16 . 1998-07-12 21:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\documents and settings\Erin\Application Data\FreeBurner
2010-05-02 19:25 . 2010-05-02 19:25 -------- d-----w- c:\program files\3ivx
2010-04-29 13:26 . 2010-04-29 13:27 -------- d-----w- c:\program files\ERUNT
2010-04-29 03:36 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 01:29 . 2003-01-26 17:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2010-04-21 20:54 . 2010-04-21 20:54 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\HandBrake
2010-04-21 20:54 . 2010-04-21 20:54 -------- d-----w- c:\documents and settings\Erin\Application Data\HandBrake
2010-04-21 20:54 . 2010-04-29 03:46 -------- d-----w- c:\program files\Handbrake
2010-04-21 20:32 . 2010-04-21 20:32 -------- d-----w- c:\windows\system32\windows media
2010-04-21 20:28 . 2010-04-21 20:28 -------- d-----w- c:\program files\Common Files\Protexis
2010-04-21 20:26 . 2010-04-21 20:56 -------- d-----w- c:\documents and settings\Erin\Application Data\Corel
2010-04-21 20:23 . 2010-04-21 20:27 -------- d-----w- c:\program files\Common Files\Corel
2010-04-21 20:22 . 2010-04-21 20:22 -------- d-----w- c:\program files\Windows Media Components
2010-04-21 20:22 . 2010-04-21 20:22 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-04-21 20:22 . 2007-10-22 07:39 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2010-04-21 20:22 . 2007-10-12 19:14 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2010-04-21 20:22 . 2007-10-12 19:14 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2010-04-21 20:22 . 2007-10-02 13:56 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2010-04-21 20:22 . 2007-07-20 04:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2010-04-21 20:22 . 2007-07-19 22:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2010-04-21 20:22 . 2007-07-19 22:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll
2010-04-21 17:14 . 2010-04-21 20:33 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\NOS
2010-04-19 00:15 . 2010-04-19 00:15 -------- d-----w- c:\program files\Flip Video
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\ImTOO
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\documents and settings\Erin\Application Data\ImTOO
2010-04-18 19:31 . 2010-04-18 19:32 -------- d-----w- c:\documents and settings\Erin\Application Data\Nero
2010-04-18 19:30 . 2010-04-18 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-04-18 17:46 . 2004-10-12 18:42 262144 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2010-04-18 17:46 . 2004-10-12 18:40 2255360 ----a-w- c:\windows\system32\libavcodec.dll
2010-04-18 17:46 . 2004-10-05 20:16 395776 ----a-w- c:\windows\system32\libmplayer.dll
2010-04-18 17:46 . 2004-10-04 05:50 112640 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2010-04-18 17:10 . 2010-04-18 17:46 -------- d-----w- c:\program files\Cucusoft
2010-04-18 17:10 . 2004-05-26 14:07 1153417 ----a-w- c:\windows\system32\cygwin1.dll
2010-04-18 17:10 . 2004-05-13 22:39 1208320 ----a-w- c:\windows\system32\cygxml2-2.dll
2010-04-18 17:10 . 2003-12-04 15:03 62464 ----a-w- c:\windows\system32\cygz.dll
2010-04-18 17:10 . 2003-08-11 08:59 980992 ----a-w- c:\windows\system32\cygiconv-2.dll
2010-04-18 16:54 . 2010-04-18 16:54 -------- d-----w- c:\documents and settings\Erin\Application Data\AnvSoft
2010-04-15 07:00 . 2010-04-15 07:00 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-04-14 11:40 . 2010-04-14 11:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-13 21:51 . 2010-04-13 21:51 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Search
2010-04-09 20:48 . 2010-04-09 20:48 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-04-07 17:16 . 2010-04-07 17:16 503808 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7a15473b-n\msvcp71.dll
2010-04-07 17:16 . 2010-04-07 17:16 499712 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7a15473b-n\jmc.dll
2010-04-07 17:16 . 2010-04-07 17:16 348160 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7a15473b-n\msvcr71.dll
2010-04-07 17:16 . 2010-04-07 17:16 61440 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5a77ce07-n\decora-sse.dll
2010-04-07 17:16 . 2010-04-07 17:16 12800 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5a77ce07-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 12:35 . 2007-12-15 15:34 -------- d-----w- c:\program files\Google
2010-05-03 12:29 . 2008-09-24 20:28 5018 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-03 12:29 . 2008-09-24 20:28 5018 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-03 12:29 . 2008-09-24 20:28 248 --sh--r- c:\documents and settings\All Users\Application Data\E27CF4E0CB.sys
2010-05-03 12:29 . 2008-09-24 20:28 248 --sh--r- c:\documents and settings\All Users\Application Data\E27CF4E0CB.sys
2010-05-03 00:22 . 2010-01-27 21:33 -------- d-----w- c:\program files\LimeWire
2010-05-03 00:00 . 2007-12-15 15:47 -------- d-----w- c:\program files\WinAce
2010-05-02 22:51 . 2007-12-15 13:09 105752 ----a-w- c:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 17:52 . 2008-04-14 15:23 -------- d-----w- c:\program files\Infogrames Interactive
2010-05-02 17:52 . 2007-12-15 13:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 15:37 . 2009-10-15 21:04 -------- d-----w- c:\program files\Orb Networks
2010-04-30 19:50 . 2008-09-16 19:48 -------- d-----w- c:\program files\SpywareGuard
2010-04-29 11:32 . 2009-01-16 20:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 04:01 . 2009-03-25 11:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2010-04-29 03:46 . 2007-12-25 14:23 -------- d-----w- c:\program files\Kids Cam Show and Share Creativity Center
2010-04-29 03:36 . 2008-01-01 21:19 -------- d-----w- c:\program files\Java
2010-04-21 23:56 . 2008-07-02 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-04-21 20:32 . 2008-08-13 19:21 -------- d-----w- c:\documents and settings\Erin\Application Data\Ulead Systems
2010-04-21 20:31 . 2008-08-13 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-04-21 20:31 . 2008-10-26 23:05 -------- d-----w- c:\program files\Corel
2010-04-21 20:30 . 2008-08-15 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-04-21 17:31 . 2009-07-26 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-21 17:14 . 2009-07-26 14:55 -------- d-----w- c:\program files\NOS
2010-04-15 07:04 . 2007-12-16 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-07 17:17 . 2008-09-15 12:22 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 12:45 . 2010-03-30 04:24 -------- d-----w- c:\program files\Windows Desktop Search
2010-03-30 04:32 . 2010-03-30 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-03-30 04:32 . 2010-03-30 04:32 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-30 04:24 . 2010-03-30 04:24 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Desktop Search
2010-03-30 03:57 . 2008-03-08 16:09 -------- d-----w- c:\program files\Dvd-cloner
2010-03-25 04:32 . 2008-03-05 10:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ThumbnailCache4R
2010-03-24 14:49 . 2010-02-11 02:20 50354 ----a-w- c:\documents and settings\Erin\Application Data\Facebook\uninstall.exe
2010-03-24 14:49 . 2010-03-24 14:49 2114184 ----a-w- c:\documents and settings\Erin\Application Data\Facebook\Install_Facebook_Plug-In_1.0.3.exe
2010-03-24 14:49 . 2010-02-11 02:20 -------- d-----w- c:\documents and settings\Erin\Application Data\Facebook
2010-03-11 21:39 . 2010-03-11 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 02:32 . 2010-03-09 02:32 -------- d-----w- c:\documents and settings\Erin\Application Data\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2010-03-09 02:32 . 2010-03-09 02:32 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-09 02:31 . 2010-03-09 02:32 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-09 02:31 . 2008-08-31 15:07 38784 ----a-w- c:\documents and settings\Erin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-09 02:30 . 2010-03-08 19:41 -------- d-----w- c:\program files\MyPublisher
2010-03-08 19:29 . 2008-10-09 03:19 -------- d-----w- c:\program files\BookSmart
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Erin\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-02-28 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2008-09-15 20:46 . 2008-08-15 12:15 88 --sh--r- c:\windows\system32\E27CF4E0CB.sys
2008-09-15 20:46 . 2008-08-15 12:11 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} ----

2009-03-25 11:36 . 2009-03-25 11:36 90 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\instance.dat
2009-03-25 11:36 . 2010-04-29 04:01 487 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.dat
2009-03-25 11:36 . 2009-03-25 11:36 9 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.lan
2009-03-25 11:36 . 2009-03-25 11:36 9318 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.par
2009-03-25 11:36 . 2009-03-12 08:17 5115615 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.res
2009-03-25 11:36 . 2009-03-12 08:17 578782 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\mia.lib
2009-03-25 11:36 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-03-25 11:36 . 2009-03-12 08:17 1802240 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.msi


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2010-04-14 524944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-04-14 105632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-22 455344]
"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]
"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" [2007-06-22 307888]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2008-03-13 128256]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-08 524632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-21 113664]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 12:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdkcoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkwbgw.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\frun.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/25/2009 7:40 AM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/2/2008 12:44 PM 335240]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/8/2010 12:51 AM 380928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 5:16 PM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [6/14/2007 4:15 AM 99248]
S3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [2/13/2008 2:17 PM 618112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {6BF35011-3AE5-44D3-A8BB-73ED462A0BC0} - hxxp://ezprints.mye-pix.com/software/ezuploader.cab
DPF: {B87A4DE2-57A3-41CA-8781-89D43EA6EEF4} - hxxp://videomessages.live.com/Portal/ClientBin/VCaptCtl.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
DPF: {D53A9247-2FEA-4E93-8EEE-9A9B07E8D760} - hxxp://www.ezprints.com/software/cropfit.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 17:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-1409082233-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-05-06 17:08:53
ComboFix-quarantined-files.txt 2010-05-06 21:08
ComboFix2.txt 2010-05-05 02:02
ComboFix3.txt 2009-01-31 15:21
ComboFix4.txt 2009-01-16 19:45
ComboFix5.txt 2010-05-06 20:57

Pre-Run: 173,457,506,304 bytes free
Post-Run: 173,519,728,640 bytes free

- - End Of File - - 1BE7B93382BAF22551E87176ECD5A671




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users