Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91679 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Hijacked?


  • This topic is locked This topic is locked
16 replies to this topic

#1 computerwannabe

computerwannabe

    Authentic Member

  • Authentic Member
  • PipPip
  • 106 posts

Posted 16 November 2009 - 08:48 AM

Okay, I am running a relatively new machine (about 2-3 months old) and am having error messages and last night the computer wouldn't log out. I ran a hijack this log and found a few confusing things, so here I am.

The errors are such things as : " //./root/CIMV2 SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99
0x80041003 "

AND

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\N360\0305020.00B\BHDrvx86.sys



I tried the rootkit revealer but after it downloaded, it opened up and when I attempted to follow the instructions given here for running it
it froze on me and actually froze my whole system requiring restart. I did not see it on my desktop so tried to download it again, but with the exact same results. I have searched for it with win explore but nothing titled rootkit reveal, nothing with the words rootkit in it.

Here is an error I found associated with this problem: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\rootrepeal3.sys



Here are the DDS results:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Meserole Family at 7:24:10.93 on Mon 11/16/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.2005 [GMT -6:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\PictureMover\Bin\PictureMover.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Sidebar\sidebar.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Meserole Family\Downloads\dds(2).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Presario&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Presario&pf=cndt
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.5.2.11\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0552.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0552.0\msneshellx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/5.0_(Windows;_U;_Windows_NT_6.0;_en-US;_rv:1.9.1.5)_Gecko/20091102_Firefox/3.5.5_(.NET_CLR_3.5.30729)" -"http://www.skunkstud...ll2webgame.htm"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\program files\hewlett-packard\hp odometer\hpsysdrv.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\cyberlink dvd suite deluxe\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\cyberlink dvd suite deluxe" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\mesero~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files\picturemover\bin\PictureMover.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: guardian.co.uk\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/icaweb-20070115.cab
DPF: {74EF5274-F439-2168-B543-14745B625C72} - hxxp://games.bigfishgames.com/en_wedding-dash-2-rings-around-world-game/online/WeddingDash2Web.1.0.0.11.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://games.bigfishgames.com/en_dinerdashfloontheg/online/ddfotg.1.0.0.33.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.gamehouse.com/realarcade-webgames/zuma/popcaploader.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.5.2.11\CoIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\mesero~1\appdata\roaming\mozilla\firefox\profiles\1iqa5sdq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\meserole family\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\meserole family\appdata\roaming\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\users\meserole family\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0305020.00b\SymEFA.sys [2009-9-22 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2009-9-22 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0305020.00b\cchpx86.sys [2009-9-22 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091111.001\IDSvix86.sys [2009-11-12 343088]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.5.2.11\ccSvcHst.exe [2009-9-22 117640]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-23 102448]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360\0305020.00b\symndisv.sys [2009-9-22 48688]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-3 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 PCDSRVC{4F253FFC-7957E8FC-06000000}_0;PCDSRVC{4F253FFC-7957E8FC-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc.pkms [2009-2-2 20848]
S4 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2009-5-18 133152]

=============== Created Last 30 ================

2009-11-13 14:18 <DIR> --d----- c:\program files\MSXML 4.0
2009-11-13 14:18 34,904 a------- c:\windows\system32\htmlhelp.lib
2009-11-13 14:18 303,183 a------- c:\windows\system32\Email.dll
2009-11-13 14:18 106,496 a------- c:\windows\system32\PTextEffect.dll
2009-11-13 14:18 <DIR> --d----- c:\program files\Video Express
2009-11-13 14:16 118,784 -------- c:\windows\system32\PTTreeIcons.dll
2009-11-13 14:16 <DIR> --d----- c:\program files\Snap 'n Share pro
2009-11-09 20:13 <DIR> --d----- c:\programdata\PopCap
2009-11-09 20:13 <DIR> --d----- c:\progra~2\PopCap
2009-11-08 21:00 <DIR> --d----- c:\users\mesero~1\appdata\roaming\ICAClient
2009-11-03 17:48 1,638,912 a------- c:\windows\system32\mshtml.tlb
2009-11-03 14:19 <DIR> --d----- c:\program files\Windows Portable Devices
2009-11-03 14:19 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-03 13:30 54,632 a------- c:\windows\system32\drivers\fssfltr.sys
2009-11-03 13:25 3,426,072 a------- c:\windows\system32\d3dx9_32.dll
2009-11-03 13:25 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-11-03 13:25 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-11-03 13:11 <DIR> --d----- c:\program files\common files\Windows Live
2009-11-03 13:08 30,208 a------- c:\windows\system32\WPDShextAutoplay.exe
2009-11-03 13:07 4,096 a------- c:\windows\system32\oleaccrc.dll
2009-11-03 13:07 555,520 a------- c:\windows\system32\UIAutomationCore.dll
2009-11-03 13:07 234,496 a------- c:\windows\system32\oleacc.dll
2009-11-03 13:03 310,784 a------- c:\windows\system32\unregmp2.exe
2009-11-03 13:03 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-11-02 15:19 218,624 a------- c:\windows\system32\msv1_0.dll
2009-11-02 15:19 3,600,456 a------- c:\windows\system32\ntkrnlpa.exe
2009-11-02 15:19 3,548,216 a------- c:\windows\system32\ntoskrnl.exe
2009-11-02 15:19 144,896 a------- c:\windows\system32\drivers\srv2.sys
2009-11-02 15:19 60,928 a------- c:\windows\system32\msasn1.dll
2009-11-02 15:18 604,672 a------- c:\windows\system32\WMSPDMOD.DLL
2009-10-29 14:42 <DIR> --d----- c:\programdata\Kodak
2009-10-29 14:42 <DIR> --d----- c:\progra~2\Kodak
2009-10-23 10:01 <DIR> --d----- c:\programdata\GameHouse
2009-10-23 10:01 <DIR> --d----- c:\progra~2\GameHouse
2009-10-23 09:53 <DIR> --d----- C:\GameHouse Games

==================== Find3M ====================

2009-11-16 04:47 1,252 a------- c:\users\mesero~1\appdata\roaming\wklnhst.dat
2009-11-03 14:19 665,600 a------- c:\windows\inf\drvindex.dat
2009-11-03 14:19 143,360 a------- c:\windows\inf\infstrng.dat
2009-11-03 14:19 143,360 a------- c:\windows\inf\infstor.dat
2009-11-03 14:19 51,200 a------- c:\windows\inf\infpub.dat
2009-10-11 13:25 392 a------- c:\users\meserole family\jobq.dat
2009-10-11 04:17 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-30 19:02 2,537,472 a------- c:\windows\system32\wpdshext.dll
2009-09-30 19:02 334,848 a------- c:\windows\system32\PortableDeviceApi.dll
2009-09-30 19:02 87,552 a------- c:\windows\system32\WPDShServiceObj.dll
2009-09-30 19:02 31,232 a------- c:\windows\system32\BthMtpContextHandler.dll
2009-09-30 19:01 546,816 a------- c:\windows\system32\wpd_ci.dll
2009-09-30 19:01 160,256 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-09-30 19:01 350,208 a------- c:\windows\system32\WPDSp.dll
2009-09-30 19:01 196,608 a------- c:\windows\system32\PortableDeviceWMDRM.dll
2009-09-30 19:01 100,864 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-09-30 19:01 60,928 a------- c:\windows\system32\PortableDeviceConnectApi.dll
2009-09-30 19:01 81,920 a------- c:\windows\system32\wpdbusenum.dll
2009-09-24 20:10 974,848 a------- c:\windows\system32\WindowsCodecs.dll
2009-09-24 20:07 189,440 a------- c:\windows\system32\WindowsCodecsExt.dll
2009-09-24 20:04 321,024 a------- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-24 19:49 1,554,432 a------- c:\windows\system32\xpsservices.dll
2009-09-24 19:48 351,232 a------- c:\windows\system32\XpsPrint.dll
2009-09-24 19:38 847,360 a------- c:\windows\system32\OpcServices.dll
2009-09-24 19:36 280,064 a------- c:\windows\system32\XpsGdiConverter.dll
2009-09-24 19:35 135,680 a------- c:\windows\system32\XpsRasterService.dll
2009-09-24 19:33 195,584 a------- c:\windows\system32\dxdiagn.dll
2009-09-24 19:33 829,440 a------- c:\windows\system32\d3d10warp.dll
2009-09-24 19:33 369,664 a------- c:\windows\system32\WMPhoto.dll
2009-09-24 19:32 252,928 a------- c:\windows\system32\dxdiag.exe
2009-09-24 19:31 519,680 a------- c:\windows\system32\d3d11.dll
2009-09-24 19:31 486,912 a------- c:\windows\system32\d3d10level9.dll
2009-09-24 19:31 161,280 a------- c:\windows\system32\d3d10_1.dll
2009-09-24 19:31 218,112 a------- c:\windows\system32\d3d10_1core.dll
2009-09-24 19:31 1,030,144 a------- c:\windows\system32\d3d10.dll
2009-09-24 19:31 828,928 a------- c:\windows\system32\d2d1.dll
2009-09-24 19:30 481,792 a------- c:\windows\system32\dxgi.dll
2009-09-24 19:30 190,464 a------- c:\windows\system32\d3d10core.dll
2009-09-24 19:27 634,880 a------- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-24 19:27 1,064,448 a------- c:\windows\system32\DWrite.dll
2009-09-24 19:27 793,088 a------- c:\windows\system32\FntCache.dll
2009-09-24 19:27 37,888 a------- c:\windows\system32\cdd.dll
2009-09-24 16:54 258,048 a------- c:\windows\system32\winspool.drv
2009-09-24 16:54 667,648 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 16:54 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-22 21:29 124,976 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-22 21:29 7,456 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-22 21:29 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-22 21:29 26,600 a----r-- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-22 21:29 25,648 a----r-- c:\windows\system32\drivers\SymIMV.sys
2009-09-22 21:29 107,368 a----r-- c:\windows\system32\GEARAspi.dll
2009-09-09 20:01 3,023,360 a------- c:\windows\system32\UIRibbon.dll
2009-09-09 20:00 1,164,800 a------- c:\windows\system32\UIRibbonRes.dll
2009-09-09 20:00 92,672 a------- c:\windows\system32\UIAnimation.dll
2009-08-28 20:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 20:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 20:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 20:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 18:27 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-28 18:14 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-26 23:22 916,480 a------- c:\windows\system32\wininet.dll
2009-08-26 23:17 109,056 a------- c:\windows\system32\iesysprep.dll
2009-08-26 23:17 71,680 a------- c:\windows\system32\iesetup.dll
2009-08-26 21:42 133,632 a------- c:\windows\system32\ieUnatt.exe
2008-01-20 20:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-05-18 14:55 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 7:24:35.71 ===============

Here is my Hijack this file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:31 AM, on 11/16/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...rio&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...rio&pf=cndt
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0552.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0552.0\msneshellx.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\program files\hewlett-packard\HP odometer\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "c:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdateLBPShortCut] "c:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "c:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "c:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "c:\Program Files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Microsoft Default Manager] "c:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/5.0_(Windows;_U;_Windows_NT_6.0;_en-US;_rv:1.9.1.5)_Gecko/20091102_Firefox/3.5.5_(.NET_CLR_3.5.30729)" -"http://www.skunkstud...ll2webgame.htm"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: PictureMover.lnk = C:\Program Files\PictureMover\Bin\PictureMover.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.guardian.co.uk
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...eb-20070115.cab
O16 - DPF: {74EF5274-F439-2168-B543-14745B625C72} (CPlayFirstWeddingDasControl Object) - http://games.bigfish...eb.1.0.0.11.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://games.bigfish...tg.1.0.0.33.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.gamehouse...opcaploader.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

--
End of file - 9204 bytes


Thanks!

    Advertisements

Register to Remove


#2 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 19 November 2009 - 04:50 PM

Hello and welcome to WTT!

If you still require help please do the following to see the condition of your machine and also please give a description of any remaining problems or symptoms you may still have please.

Please read the instructions here first: http://forums.whatth...rs_t106388.html

Post the results once done. Any problems/questions you can let me know.

~Extremeboy
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#3 computerwannabe

computerwannabe

    Authentic Member

  • Authentic Member
  • PipPip
  • 106 posts

Posted 20 November 2009 - 12:21 PM

Thank you for your response! I am confused, though. I did follow the instructions in the welcome email. I included the results in my post, except for the rootkit reveal which wouldn't work. Do I need to do it again? computerwannabe

#4 computerwannabe

computerwannabe

    Authentic Member

  • Authentic Member
  • PipPip
  • 106 posts

Posted 20 November 2009 - 12:25 PM

I looked over the initial post, and I don't see the DDS attach file, that I am sure I attached, so I will upload it again.

Attached Files



#5 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 20 November 2009 - 03:13 PM

Yes, please do it again so I can see the current condition of your system. Thanks.
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#6 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 24 November 2009 - 03:26 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#7 computerwannabe

computerwannabe

    Authentic Member

  • Authentic Member
  • PipPip
  • 106 posts

Posted 25 November 2009 - 07:40 AM

Okay, sorry for the delay. Once again, my computer froze while running the root repeal scan and had to be restarted, so no results for that. Here are the results of DDS: DDS (Ver_09-06-26.01) - NTFSx86 Run by Meserole Family at 6:53:51.63 on Wed 11/25/2009 Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_17 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1849 [GMT -6:00] SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\SLsvc.exe C:\Windows\system32\rundll32.exe C:\Windows\servicing\TrustedInstaller.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\LSI SoftModem\agrsmsvc.exe C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Windows\system32\SearchIndexer.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Windows\system32\DllHost.exe C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\NOS\bin\getPlusPlus_Adobe.exe C:\Windows\system32\DllHost.exe C:\Windows\System32\svchost.exe -k getPlusHelper C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\SearchProtocolHost.exe c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe C:\Program Files\Windows Mail\WinMail.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\wbem\wmiprvse.exe \\?\C:\Windows\system32\wbem\WMIADAP.EXE C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Users\Meserole Family\Downloads\dds(3).scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Presario&pf=cndt mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Presario&pf=cndt BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.5.2.11\IPSBHO.DLL BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0552.0\msneshellx.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0552.0\msneshellx.dll TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [hpsysdrv] c:\program files\hewlett-packard\hp odometer\hpsysdrv.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0" mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5" mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0" mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\cyberlink dvd suite deluxe\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\cyberlink dvd suite deluxe" updatewithcreateonce "software\cyberlink\PowerStarter" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\users\mesero~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000 IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL LSP: c:\windows\system32\wpclsp.dll Trusted Zone: guardian.co.uk\www DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/icaweb-20070115.cab DPF: {74EF5274-F439-2168-B543-14745B625C72} - hxxp://games.bigfishgames.com/en_wedding-dash-2-rings-around-world-game/online/WeddingDash2Web.1.0.0.11.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://games.bigfishgames.com/en_dinerdashfloontheg/online/ddfotg.1.0.0.33.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.gamehouse.com/realarcade-webgames/zuma/popcaploader.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.5.2.11\CoIEPlg.dll ================= FIREFOX =================== FF - ProfilePath - c:\users\mesero~1\appdata\roaming\mozilla\firefox\profiles\1iqa5sdq.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll FF - plugin: c:\program files\microsoft\office live\npOLW.dll FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - plugin: c:\users\meserole family\appdata\roaming\move networks\plugins\npqmp071503000010.dll FF - plugin: c:\users\meserole family\appdata\roaming\move networks\plugins\npqmp071505000010.dll FF - plugin: c:\users\meserole family\appdata\roaming\move networks\plugins\npqmp071701000002.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0305020.00b\SymEFA.sys [2009-9-22 310320] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2009-9-22 259632] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0305020.00b\cchpx86.sys [2009-9-22 482432] R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091111.001\IDSvix86.sys [2009-11-12 343088] R2 N360;Norton 360;c:\program files\norton 360\engine\3.5.2.11\ccSvcHst.exe [2009-9-22 117640] R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512] R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-23 102448] R3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2008-1-20 21504] R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360\0305020.00b\symndisv.sys [2009-9-22 48688] S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504] S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-3 54632] S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864] S3 PCDSRVC{4F253FFC-7957E8FC-06000000}_0;PCDSRVC{4F253FFC-7957E8FC-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc.pkms [2009-2-2 20848] S3 rootrepeal2;rootrepeal2;c:\windows\system32\drivers\rootrepeal2.sys [2009-11-16 34816] S4 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2009-5-18 133152] Thanks! =============== Created Last 30 ================ 2009-11-25 06:41 2,048 a------- c:\windows\system32\tzres.dll 2009-11-25 06:39 1,401,856 a------- c:\windows\system32\msxml6.dll 2009-11-25 06:39 1,248,768 a------- c:\windows\system32\msxml3.dll 2009-11-25 06:39 714,240 a------- c:\windows\system32\timedate.cpl 2009-11-21 20:28 <DIR> --d----- c:\programdata\Apple Computer 2009-11-17 03:50 2,036,736 a------- c:\windows\system32\win32k.sys 2009-11-17 03:50 355,328 a------- c:\windows\system32\WSDApi.dll 2009-11-16 07:29 34,816 a------- c:\windows\system32\drivers\rootrepeal2.sys 2009-11-13 14:18 <DIR> --d----- c:\program files\MSXML 4.0 2009-11-13 14:18 34,904 a------- c:\windows\system32\htmlhelp.lib 2009-11-13 14:18 303,183 a------- c:\windows\system32\Email.dll 2009-11-13 14:18 106,496 a------- c:\windows\system32\PTextEffect.dll 2009-11-13 14:18 <DIR> --d----- c:\program files\Video Express 2009-11-13 14:16 118,784 -------- c:\windows\system32\PTTreeIcons.dll 2009-11-13 14:16 <DIR> --d----- c:\program files\Snap 'n Share pro 2009-11-10 23:08 94,208 a------- c:\windows\system32\QuickTimeVR.qtx 2009-11-10 23:08 69,632 a------- c:\windows\system32\QuickTime.qts 2009-11-09 20:13 <DIR> --d----- c:\programdata\PopCap 2009-11-09 20:13 <DIR> --d----- c:\progra~2\PopCap 2009-11-08 21:00 <DIR> --d----- c:\users\mesero~1\appdata\roaming\ICAClient 2009-11-03 17:48 1,638,912 a------- c:\windows\system32\mshtml.tlb 2009-11-03 14:19 <DIR> --d----- c:\program files\Windows Portable Devices 2009-11-03 14:19 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf 2009-11-03 13:30 54,632 a------- c:\windows\system32\drivers\fssfltr.sys 2009-11-03 13:25 3,426,072 a------- c:\windows\system32\d3dx9_32.dll 2009-11-03 13:25 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition 2009-11-03 13:25 <DIR> --d----- c:\program files\Windows Live SkyDrive 2009-11-03 13:11 <DIR> --d----- c:\program files\common files\Windows Live 2009-11-03 13:08 30,208 a------- c:\windows\system32\WPDShextAutoplay.exe 2009-11-03 13:07 4,096 a------- c:\windows\system32\oleaccrc.dll 2009-11-03 13:07 555,520 a------- c:\windows\system32\UIAutomationCore.dll 2009-11-03 13:07 234,496 a------- c:\windows\system32\oleacc.dll 2009-11-03 13:03 310,784 a------- c:\windows\system32\unregmp2.exe 2009-11-03 13:03 8,147,456 a------- c:\windows\system32\wmploc.DLL 2009-11-02 15:19 218,624 a------- c:\windows\system32\msv1_0.dll 2009-11-02 15:19 3,600,456 a------- c:\windows\system32\ntkrnlpa.exe 2009-11-02 15:19 3,548,216 a------- c:\windows\system32\ntoskrnl.exe 2009-11-02 15:19 144,896 a------- c:\windows\system32\drivers\srv2.sys 2009-11-02 15:19 60,928 a------- c:\windows\system32\msasn1.dll 2009-11-02 15:18 604,672 a------- c:\windows\system32\WMSPDMOD.DLL 2009-10-29 14:42 <DIR> --d----- c:\programdata\Kodak 2009-10-29 14:42 <DIR> --d----- c:\progra~2\Kodak ==================== Find3M ==================== 2009-11-23 12:34 1,614 a------- c:\users\mesero~1\appdata\roaming\wklnhst.dat 2009-11-03 14:19 665,600 a------- c:\windows\inf\drvindex.dat 2009-11-03 14:19 143,360 a------- c:\windows\inf\infstrng.dat 2009-11-03 14:19 143,360 a------- c:\windows\inf\infstor.dat 2009-11-03 14:19 51,200 a------- c:\windows\inf\infpub.dat 2009-10-11 13:25 392 a------- c:\users\meserole family\jobq.dat 2009-10-11 04:17 411,368 a------- c:\windows\system32\deploytk.dll 2009-09-30 19:02 2,537,472 a------- c:\windows\system32\wpdshext.dll 2009-09-30 19:02 334,848 a------- c:\windows\system32\PortableDeviceApi.dll 2009-09-30 19:02 87,552 a------- c:\windows\system32\WPDShServiceObj.dll 2009-09-30 19:02 31,232 a------- c:\windows\system32\BthMtpContextHandler.dll 2009-09-30 19:01 546,816 a------- c:\windows\system32\wpd_ci.dll 2009-09-30 19:01 160,256 a------- c:\windows\system32\PortableDeviceTypes.dll 2009-09-30 19:01 350,208 a------- c:\windows\system32\WPDSp.dll 2009-09-30 19:01 196,608 a------- c:\windows\system32\PortableDeviceWMDRM.dll 2009-09-30 19:01 100,864 a------- c:\windows\system32\PortableDeviceClassExtension.dll 2009-09-30 19:01 60,928 a------- c:\windows\system32\PortableDeviceConnectApi.dll 2009-09-30 19:01 81,920 a------- c:\windows\system32\wpdbusenum.dll 2009-09-24 20:10 974,848 a------- c:\windows\system32\WindowsCodecs.dll 2009-09-24 20:07 189,440 a------- c:\windows\system32\WindowsCodecsExt.dll 2009-09-24 20:04 321,024 a------- c:\windows\system32\PhotoMetadataHandler.dll 2009-09-24 19:49 1,554,432 a------- c:\windows\system32\xpsservices.dll 2009-09-24 19:48 351,232 a------- c:\windows\system32\XpsPrint.dll 2009-09-24 19:38 847,360 a------- c:\windows\system32\OpcServices.dll 2009-09-24 19:36 280,064 a------- c:\windows\system32\XpsGdiConverter.dll 2009-09-24 19:35 135,680 a------- c:\windows\system32\XpsRasterService.dll 2009-09-24 19:33 195,584 a------- c:\windows\system32\dxdiagn.dll 2009-09-24 19:33 829,440 a------- c:\windows\system32\d3d10warp.dll 2009-09-24 19:33 369,664 a------- c:\windows\system32\WMPhoto.dll 2009-09-24 19:32 252,928 a------- c:\windows\system32\dxdiag.exe 2009-09-24 19:31 519,680 a------- c:\windows\system32\d3d11.dll 2009-09-24 19:31 486,912 a------- c:\windows\system32\d3d10level9.dll 2009-09-24 19:31 161,280 a------- c:\windows\system32\d3d10_1.dll 2009-09-24 19:31 218,112 a------- c:\windows\system32\d3d10_1core.dll 2009-09-24 19:31 1,030,144 a------- c:\windows\system32\d3d10.dll 2009-09-24 19:31 828,928 a------- c:\windows\system32\d2d1.dll 2009-09-24 19:30 481,792 a------- c:\windows\system32\dxgi.dll 2009-09-24 19:30 190,464 a------- c:\windows\system32\d3d10core.dll 2009-09-24 19:27 1,064,448 a------- c:\windows\system32\DWrite.dll 2009-09-24 19:27 793,088 a------- c:\windows\system32\FntCache.dll 2009-09-24 19:27 37,888 a------- c:\windows\system32\cdd.dll 2009-09-24 16:54 258,048 a------- c:\windows\system32\winspool.drv 2009-09-24 16:54 667,648 a------- c:\windows\system32\printfilterpipelinesvc.exe 2009-09-24 16:54 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll 2009-09-22 21:29 107,368 a----r-- c:\windows\system32\GEARAspi.dll 2009-09-09 20:01 3,023,360 a------- c:\windows\system32\UIRibbon.dll 2009-09-09 20:00 1,164,800 a------- c:\windows\system32\UIRibbonRes.dll 2009-09-09 20:00 92,672 a------- c:\windows\system32\UIAnimation.dll 2009-08-28 20:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll 2009-08-28 20:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll 2009-08-28 20:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll 2009-08-28 20:30 542,720 a------- c:\windows\apppatch\AcLayers.dll 2009-08-28 18:27 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll 2009-08-28 18:14 28,672 a------- c:\windows\system32\Apphlpdm.dll 2008-01-20 20:43 174 a--sh--- c:\program files\desktop.ini 2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat 2009-05-18 14:55 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT ============= FINISH: 6:54:34.18 ===============

Attached Files



#8 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 25 November 2009 - 12:39 PM

Try running GMER..

Download and Run Scan with GMER

We will use GMER to scan for rootkits. This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image

  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#9 computerwannabe

computerwannabe

    Authentic Member

  • Authentic Member
  • PipPip
  • 106 posts

Posted 26 November 2009 - 10:29 AM

I had to run the program in safe mode because it caused the BSOD in normal mode.

Here are the results:
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-26 09:06:28
Windows 6.0.6002 Service Pack 2
Running: 4y6n5b7b.exe; Driver: C:\Users\MESERO~1\AppData\Local\Temp\kxkcakod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Thanks!

#10 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 27 November 2009 - 02:56 PM

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

    Advertisements

Register to Remove


#11 computerwannabe

computerwannabe

    Authentic Member

  • Authentic Member
  • PipPip
  • 106 posts

Posted 04 December 2009 - 10:55 AM

Sorry it took a few days to get this done...

One thing that I noticed that is frustrating- I remember turning windows defender off, but it keeps saying it's on, except when I click on the actual WDef program, which tells me it is turned off.

Also, the privacy center virus just showed up this morning, it wasn't a problem when I first posted here, FYI.


Anyway, here are the results:



ComboFix 09-12-03.06 - Meserole Family 12/04/2009 10:29.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.2114 [GMT -6:00]
Running from: c:\users\Meserole Family\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1162322507-2519668355-3147520138-500
c:\$recycle.bin\S-1-5-21-1778506392-2858034369-1054927713-500
c:\$recycle.bin\S-1-5-21-938044594-2265241138-2217154608-500
c:\users\Meserole Family\AppData\Roaming\PC
c:\users\Meserole Family\AppData\Roaming\PC\agent.exe
c:\users\Meserole Family\AppData\Roaming\PC\faq\guide.html
c:\users\Meserole Family\AppData\Roaming\PC\faq\images\gimg1.jpg
c:\users\Meserole Family\AppData\Roaming\PC\faq\images\gimg10.jpg
c:\users\Meserole Family\AppData\Roaming\PC\faq\images\gimg2.jpg
c:\users\Meserole Family\AppData\Roaming\PC\faq\images\gimg3.jpg
c:\users\Meserole Family\AppData\Roaming\PC\faq\images\gimg4.jpg
c:\users\Meserole Family\AppData\Roaming\PC\faq\images\gimg5.jpg
c:\users\Meserole Family\AppData\Roaming\PC\faq\images\gimg6.jpg
c:\users\Meserole Family\AppData\Roaming\PC\faq\images\gimg7.jpg
c:\users\Meserole Family\AppData\Roaming\PC\faq\images\gimg8.jpg
c:\users\Meserole Family\AppData\Roaming\PC\faq\images\gimg9.jpg
c:\users\Meserole Family\AppData\Roaming\PC\pc.exe
c:\users\Meserole Family\AppData\Roaming\PC\settings.ini
c:\users\Meserole Family\AppData\Roaming\PC\uninstall.exe
c:\windows\Downloaded Program Files\poPCaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
F:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))))
.

2009-12-04 13:07 . 2009-09-22 20:13 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091203.052\NAVENG.SYS
2009-12-04 13:07 . 2009-09-22 20:13 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091203.052\NAVENG32.DLL
2009-12-04 13:07 . 2009-09-22 20:13 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091203.052\NAVEX32A.DLL
2009-12-04 13:07 . 2009-09-22 20:13 1323568 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091203.052\NAVEX15.SYS
2009-12-04 13:07 . 2009-09-22 20:13 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091203.052\EECTRL.SYS
2009-12-04 13:07 . 2009-09-22 20:13 2747952 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091203.052\CCERASER.DLL
2009-12-04 13:07 . 2009-09-22 20:13 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091203.052\ECMSVR32.DLL
2009-12-04 13:07 . 2009-09-22 20:13 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091203.052\ERASER.SYS
2009-12-02 03:29 . 2009-12-02 17:34 -------- d-----w- c:\users\Meserole Family\AppData\Local\Google
2009-11-25 12:57 . 2009-11-25 12:57 0 ----a-w- c:\windows\system32\settings.dat
2009-11-25 12:41 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 12:39 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 12:39 . 2009-08-11 16:44 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-22 02:28 . 2009-11-22 02:28 -------- d-----w- c:\programdata\Apple Computer
2009-11-17 09:50 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-17 09:50 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-17 01:18 . 2009-11-17 01:18 -------- d-----w- c:\program files\NOS
2009-11-16 13:29 . 2009-11-16 13:29 34816 ----a-w- c:\windows\system32\drivers\rootrepeal2.sys
2009-11-16 13:13 . 2009-11-16 13:13 4096 d-----w- c:\program files\ERUNT
2009-11-13 20:18 . 2009-11-13 20:18 -------- d-----w- c:\program files\MSXML 4.0
2009-11-13 20:18 . 2008-03-05 23:25 106496 ----a-w- c:\windows\system32\PTextEffect.dll
2009-11-13 20:18 . 2005-05-17 15:27 303183 ----a-w- c:\windows\system32\Email.dll
2009-11-13 20:18 . 2009-11-13 20:18 4096 d-----w- c:\program files\Video Express
2009-11-13 20:16 . 2006-04-11 08:49 118784 ------w- c:\windows\system32\PTTreeIcons.dll
2009-11-13 20:16 . 2009-11-13 20:18 12288 d-----w- c:\program files\Snap 'n Share pro
2009-11-12 22:50 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSvix86.sys
2009-11-12 22:50 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSXpx86.sys
2009-11-12 22:50 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\Scxpx86.dll
2009-11-12 22:50 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSxpx86.dll
2009-11-12 22:50 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSviA64.sys
2009-11-11 20:35 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091107.001\IDSXpx86.sys
2009-11-11 20:35 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091107.001\Scxpx86.dll
2009-11-11 20:35 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091107.001\IDSvix86.sys
2009-11-11 20:35 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091107.001\IDSxpx86.dll
2009-11-11 20:35 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091107.001\IDSviA64.sys
2009-11-10 02:13 . 2009-11-10 02:13 -------- d-----w- c:\programdata\PopCap
2009-11-09 03:00 . 2009-11-09 03:06 -------- d-----w- c:\users\Meserole Family\AppData\Roaming\ICAClient
2009-11-08 01:20 . 2009-11-08 01:20 -------- d-----w- c:\users\Meserole Family\AppData\Local\Apple Computer
2009-11-07 22:56 . 2009-11-07 22:56 593920 ----a-w- c:\users\Meserole Family\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv305hw-0910190-0-main.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 10:02 . 2009-09-01 22:28 1614 ----a-w- c:\users\Meserole Family\AppData\Roaming\wklnhst.dat
2009-11-25 12:42 . 2009-09-01 22:54 8192 d-----w- c:\programdata\Microsoft Help
2009-11-25 12:41 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-22 02:28 . 2009-09-08 01:41 4096 d-----w- c:\program files\QuickTime
2009-11-17 01:25 . 2009-08-31 12:46 4096 d-----w- c:\programdata\NOS
2009-11-09 17:32 . 2009-09-11 18:37 4096 d-----w- c:\program files\Java
2009-11-09 03:00 . 2009-09-23 00:43 -------- d-----w- c:\program files\Citrix
2009-11-04 02:11 . 2009-11-04 02:11 -------- d-----w- c:\users\Meserole Home School\AppData\Roaming\CyberLink
2009-11-03 20:19 . 2009-11-03 20:19 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-03 20:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-03 20:19 . 2009-11-03 20:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-03 19:30 . 2009-11-03 19:24 4096 d-----w- c:\program files\Windows Live
2009-11-03 19:30 . 2009-11-03 19:30 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-11-03 19:25 . 2009-11-03 19:25 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-03 19:25 . 2009-11-03 19:25 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-03 19:11 . 2009-11-03 19:11 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-03 19:06 . 2009-05-18 20:00 -------- d-----w- c:\program files\LSI SoftModem
2009-11-03 19:05 . 2009-05-18 20:46 -------- d-----w- c:\program files\Microsoft
2009-11-02 21:21 . 2009-11-02 21:21 -------- d-----w- c:\users\Meserole Home School\AppData\Roaming\WildTangent
2009-11-02 21:15 . 2009-11-02 21:15 -------- d-----w- c:\users\Meserole Home School\AppData\Roaming\Hewlett-Packard
2009-11-02 21:14 . 2009-11-02 21:14 -------- d-----w- c:\users\Meserole Home School\AppData\Roaming\PictureMover
2009-11-02 21:14 . 2009-11-02 21:14 79376 ----a-w- c:\users\Meserole Home School\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-29 20:42 . 2009-10-29 20:42 -------- d-----w- c:\programdata\Kodak
2009-10-29 13:24 . 2009-08-31 02:45 79376 ----a-w- c:\users\Meserole Family\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-10-24 19:46 . 2009-09-01 19:05 4096 d-----w- c:\programdata\PopCap Games
2009-10-24 18:11 . 2009-09-07 15:51 4096 d-----w- c:\program files\RealArcade
2009-10-23 16:20 . 2009-09-01 13:29 1706096 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2009-10-23 16:01 . 2009-10-23 16:01 -------- d-----w- c:\programdata\GameHouse
2009-10-20 03:27 . 2009-10-02 04:30 143976 ----a-w- c:\users\Meserole Family\AppData\Roaming\Move Networks\uninstall.exe
2009-10-20 03:27 . 2009-10-15 00:50 5642688 ----a-w- c:\users\Meserole Family\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2009-10-20 03:27 . 2009-09-03 14:06 4096 d-----w- c:\users\Meserole Family\AppData\Roaming\Move Networks
2009-10-17 21:12 . 2009-08-31 12:50 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-17 01:38 . 2009-09-02 03:58 4096 d-----w- c:\users\Meserole Family\AppData\Roaming\PlayFirst
2009-10-17 01:38 . 2009-09-02 03:58 4096 d-----w- c:\programdata\PlayFirst
2009-10-16 23:31 . 2009-05-18 20:38 20480 d-----w- c:\programdata\WildTangent
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\users\Meserole Family\AppData\Roaming\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-12 17:43 . 2009-10-12 17:28 4096 d-----w- c:\users\Meserole Family\AppData\Roaming\Snood
2009-10-12 17:27 . 2009-10-12 17:27 4096 d-----w- c:\program files\Snood Deluxe
2009-10-11 19:25 . 2009-10-04 19:43 392 ----a-w- c:\users\Meserole Family\jobq.dat
2009-10-11 10:17 . 2009-10-04 19:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-09 15:07 . 2009-10-09 15:07 319488 ----a-w- c:\users\Meserole Family\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-10-08 21:08 . 2009-11-03 19:07 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-11-03 19:07 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-11-03 19:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-08 13:19 . 2009-05-18 20:23 -------- d-----w- c:\programdata\NVIDIA
2009-10-08 13:07 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Sidebar
2009-10-08 13:07 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-10-08 13:07 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Photo Gallery
2009-10-08 13:07 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Journal
2009-10-08 13:07 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Defender
2009-10-08 13:07 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Collaboration
2009-10-03 05:10 . 2009-08-03 21:48 4187512 ----a-w- c:\users\Meserole Family\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
2009-10-01 01:02 . 2009-11-03 19:08 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-11-03 19:08 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-11-03 19:08 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-11-03 19:08 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-11-03 19:08 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-11-03 19:08 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-11-03 19:08 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-11-03 19:08 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-11-03 19:08 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-11-03 19:08 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-11-03 19:08 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-11-03 19:08 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-09-25 02:10 . 2009-11-03 19:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-11-03 19:10 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-11-03 19:10 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-11-03 19:10 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-11-03 19:10 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-11-03 19:10 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-11-03 19:10 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-11-03 19:10 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-11-03 19:10 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-11-03 19:10 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-11-03 19:10 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-11-03 19:10 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-11-03 19:10 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-11-03 19:10 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-11-03 19:10 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-11-03 19:10 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-11-03 19:10 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-11-03 19:10 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-11-03 19:10 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-11-03 19:10 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-11-03 19:10 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-11-03 19:10 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-11-03 19:10 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-11-03 19:10 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-11-03 19:10 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-11-03 19:10 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-11-03 19:10 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-23 03:29 . 2009-09-23 03:29 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-23 03:29 . 2009-09-23 03:29 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-23 03:29 . 2009-09-23 03:29 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2009-09-23 03:29 . 2009-09-23 03:29 1291104 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-05-18 20:55 . 2009-05-18 20:53 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpsysdrv"="c:\program files\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-08 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-08 92704]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-06 224616]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\users\Meserole Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\users\Meserole Home School\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(B):80,98,dd,08,19,48,ca,01

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\N360\0305020.00B\SymEFA.sys [9/22/2009 9:29 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\N360\0305020.00B\BHDrvx86.sys [9/22/2009 9:29 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\N360\0305020.00B\cchpx86.sys [9/22/2009 9:29 PM 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSvix86.sys [11/12/2009 4:50 PM 343088]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe [9/22/2009 9:29 PM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/23/2009 7:20 PM 102448]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\N360\0305020.00B\symndisv.sys [9/22/2009 9:29 PM 48688]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/20/2008 8:23 PM 21504]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [11/3/2009 1:30 PM 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
S3 PCDSRVC{4F253FFC-7957E8FC-06000000}_0;PCDSRVC{4F253FFC-7957E8FC-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\PC-Doctor for Windows\pcdsrvc.pkms [2/2/2009 12:59 PM 20848]
S3 rootrepeal2;rootrepeal2;c:\windows\System32\drivers\rootrepeal2.sys [11/16/2009 7:29 AM 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-12-03 c:\windows\Tasks\Norton Security Scan for Meserole Family.job
- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-09-23 00:58]

2009-11-30 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-02-02 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Presario&pf=cndt
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: guardian.co.uk\www
DPF: {74EF5274-F439-2168-B543-14745B625C72} - hxxp://games.bigfishgames.com/en_wedding-dash-2-rings-around-world-game/online/WeddingDash2Web.1.0.0.11.cab
FF - ProfilePath - c:\users\Meserole Family\AppData\Roaming\Mozilla\Firefox\Profiles\1iqa5sdq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Meserole Family\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\users\Meserole Family\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-agent.exe - c:\users\Meserole Family\AppData\Roaming\PC\agent.exe
AddRemove-Activation Assistant for the 2007 Microsoft Office suites - c:\programdata\{B3C2C1CD-6B77-4A96-B670-F734AC2A1CBC}\Microsoft Office Activation Assistant.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel
AddRemove-JumpStart World Presents Pet Playground - c:\program files\Common Files\Knowledge Adventure\Uninstall\PetPlaygroundUn.exe
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-P-Center - c:\users\Meserole Family\AppData\Roaming\PC\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-04 10:37
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{4F253FFC-7957E8FC-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-12-04 10:40
ComboFix-quarantined-files.txt 2009-12-04 16:40

Pre-Run: 229,269,250,048 bytes free
Post-Run: 229,500,878,848 bytes free

- - End Of File - - BF8DC615D9EAB84AF5E68FCB331BBA54

#12 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 05 December 2009 - 01:15 PM

Hello.

Download and Run FlashDisinfector

  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#13 computerwannabe

computerwannabe

    Authentic Member

  • Authentic Member
  • PipPip
  • 106 posts

Posted 07 December 2009 - 08:27 AM

Flash disinfector wouldn't run. I tried to download and run it twice, but it didn't do anything when I clicked on it. Here is the mbam report: Malwarebytes' Anti-Malware 1.42 Database version: 3305 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.18828 12/6/2009 3:19:48 PM mbam-log-2009-12-06 (15-19-48).txt Scan type: Quick Scan Objects scanned: 102589 Time elapsed: 4 minute(s), 26 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Users\Meserole Family\downloads\b-stream_setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

#14 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 07 December 2009 - 03:20 PM

That's because you're using vista. Don't worry about it for now. -- Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left. Thanks. With Regards, Extremeboy
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#15 computerwannabe

computerwannabe

    Authentic Member

  • Authentic Member
  • PipPip
  • 106 posts

Posted 10 December 2009 - 08:38 AM

Here are the DDS logs. Performance is much better so far, no major problems that I am aware of. DDS (Ver_09-06-26.01) - NTFSx86 Run by Meserole Family at 8:22:48.15 on Thu 12/10/2009 Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_17 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1997 [GMT -6:00] SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\LSI SoftModem\agrsmsvc.exe C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Windows\system32\SearchIndexer.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Windows\system32\DllHost.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\taskeng.exe c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe C:\Windows\ehome\ehsched.exe C:\Windows\ehome\ehRecvr.exe C:\Windows\system32\rundll32.exe C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\System32\rundll32.exe C:\Windows\System32\wpcumi.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\explorer.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Users\Meserole Family\Downloads\dds.scr C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Presario&pf=cndt BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.5.2.11\IPSBHO.DLL BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0552.0\msneshellx.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0552.0\msneshellx.dll TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0" mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5" mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0" mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\cyberlink dvd suite deluxe\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\cyberlink dvd suite deluxe" updatewithcreateonce "software\cyberlink\PowerStarter" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\users\mesero~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000 IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL LSP: c:\windows\system32\wpclsp.dll Trusted Zone: guardian.co.uk\www DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/icaweb-20070115.cab DPF: {74EF5274-F439-2168-B543-14745B625C72} - hxxp://games.bigfishgames.com/en_wedding-dash-2-rings-around-world-game/online/WeddingDash2Web.1.0.0.11.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://games.bigfishgames.com/en_dinerdashfloontheg/online/ddfotg.1.0.0.33.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.5.2.11\CoIEPlg.dll ================= FIREFOX =================== FF - ProfilePath - c:\users\mesero~1\appdata\roaming\mozilla\firefox\profiles\1iqa5sdq.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.ldsscripturemastery.net/ FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll FF - plugin: c:\program files\microsoft\office live\npOLW.dll FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - plugin: c:\users\meserole family\appdata\roaming\move networks\plugins\npqmp071505000010.dll FF - plugin: c:\users\meserole family\appdata\roaming\move networks\plugins\npqmp071701000002.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0305020.00b\SymEFA.sys [2009-9-22 310320] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2009-9-22 259632] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0305020.00b\cchpx86.sys [2009-9-22 482432] R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091111.001\IDSvix86.sys [2009-11-12 343088] R2 N360;Norton 360;c:\program files\norton 360\engine\3.5.2.11\ccSvcHst.exe [2009-9-22 117640] R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512] R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-23 102448] R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360\0305020.00b\symndisv.sys [2009-9-22 48688] S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504] S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-3 54632] S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864] S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2008-1-20 21504] S3 PCDSRVC{4F253FFC-7957E8FC-06000000}_0;PCDSRVC{4F253FFC-7957E8FC-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc.pkms [2009-2-2 20848] S3 rootrepeal2;rootrepeal2;c:\windows\system32\drivers\rootrepeal2.sys [2009-11-16 34816] S4 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2009-5-18 133152] =============== Created Last 30 ================ 2009-12-06 15:11 <DIR> --d----- c:\users\mesero~1\appdata\roaming\Malwarebytes 2009-12-06 15:11 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-06 15:11 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-12-06 15:11 <DIR> --d----- c:\programdata\Malwarebytes 2009-12-06 15:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-12-06 15:11 <DIR> --d----- c:\progra~2\Malwarebytes 2009-12-04 10:40 <DIR> --dsh--- C:\$RECYCLE.BIN 2009-12-04 10:28 260,608 a------- c:\windows\PEV.exe 2009-12-04 10:28 161,792 a------- c:\windows\SWREG.exe 2009-12-04 10:28 98,816 a------- c:\windows\sed.exe 2009-12-04 10:28 77,312 a------- c:\windows\MBR.exe 2009-11-25 18:00 336,559,797 a------- c:\windows\MEMORY.DMP 2009-11-25 06:57 0 a------- c:\windows\system32\settings.dat 2009-11-25 06:41 2,048 a------- c:\windows\system32\tzres.dll 2009-11-25 06:39 1,401,856 a------- c:\windows\system32\msxml6.dll 2009-11-25 06:39 1,248,768 a------- c:\windows\system32\msxml3.dll 2009-11-25 06:39 714,240 a------- c:\windows\system32\timedate.cpl 2009-11-21 20:28 <DIR> --d----- c:\programdata\Apple Computer 2009-11-17 03:50 2,036,736 a------- c:\windows\system32\win32k.sys 2009-11-17 03:50 355,328 a------- c:\windows\system32\WSDApi.dll 2009-11-16 07:29 34,816 a------- c:\windows\system32\drivers\rootrepeal2.sys 2009-11-13 14:18 <DIR> --d----- c:\program files\MSXML 4.0 2009-11-13 14:18 34,904 a------- c:\windows\system32\htmlhelp.lib 2009-11-13 14:18 303,183 a------- c:\windows\system32\Email.dll 2009-11-13 14:18 106,496 a------- c:\windows\system32\PTextEffect.dll 2009-11-13 14:18 <DIR> --d----- c:\program files\Video Express 2009-11-13 14:16 118,784 -------- c:\windows\system32\PTTreeIcons.dll 2009-11-13 14:16 <DIR> --d----- c:\program files\Snap 'n Share pro 2009-11-10 23:08 94,208 a------- c:\windows\system32\QuickTimeVR.qtx 2009-11-10 23:08 69,632 a------- c:\windows\system32\QuickTime.qts ==================== Find3M ==================== 2009-12-07 04:53 1,724 a------- c:\users\mesero~1\appdata\roaming\wklnhst.dat 2009-11-03 14:19 665,600 a------- c:\windows\inf\drvindex.dat 2009-11-03 14:19 143,360 a------- c:\windows\inf\infstrng.dat 2009-11-03 14:19 143,360 a------- c:\windows\inf\infstor.dat 2009-11-03 14:19 51,200 a------- c:\windows\inf\infpub.dat 2009-11-03 14:19 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf 2009-10-11 13:25 392 a------- c:\users\meserole family\jobq.dat 2009-10-11 04:17 411,368 a------- c:\windows\system32\deploytk.dll 2009-10-08 15:08 555,520 a------- c:\windows\system32\UIAutomationCore.dll 2009-10-08 15:08 234,496 a------- c:\windows\system32\oleacc.dll 2009-10-08 15:07 4,096 a------- c:\windows\system32\oleaccrc.dll 2009-09-30 19:02 2,537,472 a------- c:\windows\system32\wpdshext.dll 2009-09-30 19:02 30,208 a------- c:\windows\system32\WPDShextAutoplay.exe 2009-09-30 19:02 334,848 a------- c:\windows\system32\PortableDeviceApi.dll 2009-09-30 19:02 87,552 a------- c:\windows\system32\WPDShServiceObj.dll 2009-09-30 19:02 31,232 a------- c:\windows\system32\BthMtpContextHandler.dll 2009-09-30 19:01 546,816 a------- c:\windows\system32\wpd_ci.dll 2009-09-30 19:01 160,256 a------- c:\windows\system32\PortableDeviceTypes.dll 2009-09-30 19:01 350,208 a------- c:\windows\system32\WPDSp.dll 2009-09-30 19:01 196,608 a------- c:\windows\system32\PortableDeviceWMDRM.dll 2009-09-30 19:01 100,864 a------- c:\windows\system32\PortableDeviceClassExtension.dll 2009-09-30 19:01 60,928 a------- c:\windows\system32\PortableDeviceConnectApi.dll 2009-09-30 19:01 81,920 a------- c:\windows\system32\wpdbusenum.dll 2009-09-24 20:10 974,848 a------- c:\windows\system32\WindowsCodecs.dll 2009-09-24 20:07 189,440 a------- c:\windows\system32\WindowsCodecsExt.dll 2009-09-24 20:04 321,024 a------- c:\windows\system32\PhotoMetadataHandler.dll 2009-09-24 19:49 1,554,432 a------- c:\windows\system32\xpsservices.dll 2009-09-24 19:48 351,232 a------- c:\windows\system32\XpsPrint.dll 2009-09-24 19:38 847,360 a------- c:\windows\system32\OpcServices.dll 2009-09-24 19:36 280,064 a------- c:\windows\system32\XpsGdiConverter.dll 2009-09-24 19:35 135,680 a------- c:\windows\system32\XpsRasterService.dll 2009-09-24 19:33 195,584 a------- c:\windows\system32\dxdiagn.dll 2009-09-24 19:33 829,440 a------- c:\windows\system32\d3d10warp.dll 2009-09-24 19:33 369,664 a------- c:\windows\system32\WMPhoto.dll 2009-09-24 19:32 252,928 a------- c:\windows\system32\dxdiag.exe 2009-09-24 19:31 519,680 a------- c:\windows\system32\d3d11.dll 2009-09-24 19:31 486,912 a------- c:\windows\system32\d3d10level9.dll 2009-09-24 19:31 161,280 a------- c:\windows\system32\d3d10_1.dll 2009-09-24 19:31 218,112 a------- c:\windows\system32\d3d10_1core.dll 2009-09-24 19:31 1,030,144 a------- c:\windows\system32\d3d10.dll 2009-09-24 19:31 828,928 a------- c:\windows\system32\d2d1.dll 2009-09-24 19:30 481,792 a------- c:\windows\system32\dxgi.dll 2009-09-24 19:30 190,464 a------- c:\windows\system32\d3d10core.dll 2009-09-24 19:27 1,064,448 a------- c:\windows\system32\DWrite.dll 2009-09-24 19:27 793,088 a------- c:\windows\system32\FntCache.dll 2009-09-24 19:27 37,888 a------- c:\windows\system32\cdd.dll 2009-09-24 16:54 258,048 a------- c:\windows\system32\winspool.drv 2009-09-24 16:54 667,648 a------- c:\windows\system32\printfilterpipelinesvc.exe 2009-09-24 16:54 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll 2009-09-22 21:29 107,368 a----r-- c:\windows\system32\GEARAspi.dll 2008-01-20 20:43 174 a--sh--- c:\program files\desktop.ini 2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat 2009-05-18 14:55 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT ============= FINISH: 8:23:15.91 =============== Thanks!

Attached Files


Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users