[Closed] spontaneous shut down and slow running
#1
Posted 29 April 2010 - 09:11 AM
Register to Remove
#2
Posted 29 April 2010 - 03:33 PM
My name is JonTom.
- Malware Logs can sometimes take a lot of time to research and interpret.
- Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
- Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
- Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
- PLEASE NOTE: If you do not reply after 5 days your thread will be closed.
- Please be aware that I am still in training, and all of my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advice.
- This may cause a delay in response time, but I will do my best to keep it as short as possible.
- I will reply back shortly with instructions.
Member of UNITE
Proud Graduate of the WTT Classroom
#3
Posted 30 April 2010 - 05:23 AM
Thank you for the logs. Before we begin cleaning your system, please work your way through the following steps:
- Security Programs
- I can see from your log that you have a number of real-time security programs running, namely Ad-Aware, SpywareGuard v2.2 and AVG.
- Whilst both of these programs provide good security, they may clash with each other which can leave your system vulnerable to infection.
- Please make sure that you only have ONE Firewall and ONE real-time Antivirus running on your system.
- GMER
- If you are having trouble getting GMER to complete a scan, please run it again, but this time uncheck everything EXCEPT "Sections" and "C:\".
- If GMER does not produce a log please try running it from Safe Mode:
- How to use the F8 method to Start Your Computer in Safe Mode
- Restart your computer.
- As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
- Use the arrow keys to select the Safe mode menu item.
- Press Enter.
- If GMER in safe mode does not work, please try RootRepeal:
- RootRepeal
- Please download RootRepeal to your desktop
- Physically disconnect your machine from the internet as your system will be unprotected.
- Unzip it to it's own folder, close all other programs especially your security programs (anti-spyware, anti-virus, and firewall) and run RootRepeal.exe
- Click the Report tab at the bottom and then the Scan button.
- A box will pop up, check the boxes beside Drivers, Files, Processes SSDT and click OK.
- Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
- The scan will take a little while to run, so let it go unhindered.
- Once it is done, click the "Save Report" button, call it RepealScan and save the log to your desktop.
- Reconnect to the internet.
Please provide the GMER/Rootrepeal log in your next reply. If you are still having trouble, come back and let me know.
Member of UNITE
Proud Graduate of the WTT Classroom
#4
Posted 30 April 2010 - 03:54 PM
#5
Posted 01 May 2010 - 05:25 AM
Thank you for letting me know. The Malware on your system is interfering with our tools.
Please try the following before running GMER.
- DeFogger
- Please download DeFogger to your desktop.
- Double click DeFogger to run the tool.
- The application window will appear
- Click the Disable button to disable your CD Emulation drivers
- Click Yes to continue
- A 'Finished!' message will appear
- Click OK
- DeFogger will now ask to reboot the machine - click OK
Do not re-enable these drivers until otherwise instructed.
- exeHelper
- Please download exeHelper by clicking here and save the file (called exeHelper.com) to your desktop.
- Double click on exeHelper.com to run the fix.
- A black window should pop up. Press any key to close once the fix is completed.
- Post the contents of log.txt (it Will be created in the directory where you ran exeHelper.com).
- NOTE: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
If you are still having trouble running GMER, try running RootRepeal (instructions in previous post).
Post the logs if they are created, otherwise come back and we will try something else
Member of UNITE
Proud Graduate of the WTT Classroom
#6
Posted 02 May 2010 - 08:28 PM
#7
Posted 03 May 2010 - 11:55 AM
also re-ran ERUNT, DDs, Defogger, exehelper & the malwarebyte scans and have those logs as well if you need them.
Thank you for letting me know. I would like to see the logs that exehelper and MBAM produced. Please do not run anymore tools unless requested.
Also, please scan your system with DDS once more and post the log (along with exehelper and MBAM) in your next reply.
Member of UNITE
Proud Graduate of the WTT Classroom
#8
Posted 03 May 2010 - 01:17 PM
#9
Posted 03 May 2010 - 06:10 PM
Thank you for the logs.
Please work your way through the following steps. If you encounter any difficulties, come back and let me know.
- Download Combofix and RE-NAME it BEFORE saving
- Download Combofix from either of the links below. You must rename it to ephillips.exe before saving it.
- Save it to your desktop. Change the "save as file type" to "all files".
- Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
- If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
Link 1
Link 2
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.
- Double click on the renamed ComboFix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt so we can continue cleaning the system.
Member of UNITE
Proud Graduate of the WTT Classroom
#10
Posted 04 May 2010 - 08:16 PM
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1299 [GMT -4:00]
Running from: c:\documents and settings\Erin\Desktop\ephillips.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Dealio Toolbar
c:\program files\Dealio Toolbar\IE\4.0.2\config.ini
c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll
c:\program files\Dealio Toolbar\Res\amazon.gif
c:\program files\Dealio Toolbar\Res\apple.gif
c:\program files\Dealio Toolbar\Res\barnes.gif
c:\program files\Dealio Toolbar\Res\bestbuy.gif
c:\program files\Dealio Toolbar\Res\dealio_logo.gif
c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\Res\ebay.gif
c:\program files\Dealio Toolbar\Res\icon_settings.gif
c:\program files\Dealio Toolbar\Res\macys.gif
c:\program files\Dealio Toolbar\Res\newegg.gif
c:\program files\Dealio Toolbar\Res\overstock.gif
c:\program files\Dealio Toolbar\Res\search-button-hover.gif
c:\program files\Dealio Toolbar\Res\search-button.gif
c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files\Dealio Toolbar\Res\search-chevron.gif
c:\program files\Dealio Toolbar\Res\search_amazon.gif
c:\program files\Dealio Toolbar\Res\search_dealio.gif
c:\program files\Dealio Toolbar\Res\search_ebay.gif
c:\program files\Dealio Toolbar\Res\search_yahoo.gif
c:\program files\Dealio Toolbar\Res\target.gif
c:\program files\Dealio Toolbar\Res\walmart.gif
c:\program files\Dealio Toolbar\Res\widgets.xml
c:\program files\Dealio Toolbar\WidgiHelper.exe
c:\program files\Search Settings
c:\program files\Search Settings\SeARchsettings.dll
c:\program files\Search Settings\SearchSettings.exe
c:\program files\Search Settings\SearchSettingsRes409.dll
c:\windows\system32\hedafatu.dll
c:\windows\Tasks.\aurwolai.job
c:\windows\Tasks.\aurwolai.job . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.
2010-05-05 01:48 . 2010-05-05 01:48 -------- d-----w- c:\windows\system32\Lang
2010-05-03 00:04 . 2010-05-03 00:04 15 ----a-w- c:\documents and settings\Erin\settings.dat
2010-05-02 22:41 . 2010-05-02 22:55 -------- d-----w- C:\v2d
2010-05-02 22:41 . 2010-05-02 22:58 -------- d-----w- c:\program files\Total Video2Dvd
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\documents and settings\Erin\Application Data\Search Settings
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\documents and settings\Erin\Application Data\Dealio
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\program files\Application Updater
2010-05-02 22:16 . 2000-10-01 21:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2010-05-02 22:16 . 1999-03-25 21:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-05-02 22:16 . 1998-07-13 01:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2010-05-02 22:16 . 1998-07-13 01:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2010-05-02 22:16 . 1998-07-12 21:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\documents and settings\Erin\Application Data\FreeBurner
2010-05-02 19:25 . 2010-05-02 19:25 -------- d-----w- c:\program files\3ivx
2010-04-29 13:26 . 2010-04-29 13:27 -------- d-----w- c:\program files\ERUNT
2010-04-29 03:36 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 01:29 . 2003-01-26 17:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2010-04-21 20:54 . 2010-04-21 20:54 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\HandBrake
2010-04-21 20:54 . 2010-04-21 20:54 -------- d-----w- c:\documents and settings\Erin\Application Data\HandBrake
2010-04-21 20:54 . 2010-04-29 03:46 -------- d-----w- c:\program files\Handbrake
2010-04-21 20:32 . 2010-04-21 20:32 -------- d-----w- c:\windows\system32\windows media
2010-04-21 20:28 . 2010-04-21 20:28 -------- d-----w- c:\program files\Common Files\Protexis
2010-04-21 20:26 . 2010-04-21 20:56 -------- d-----w- c:\documents and settings\Erin\Application Data\Corel
2010-04-21 20:23 . 2010-04-21 20:27 -------- d-----w- c:\program files\Common Files\Corel
2010-04-21 20:22 . 2010-04-21 20:22 -------- d-----w- c:\program files\Windows Media Components
2010-04-21 20:22 . 2010-04-21 20:22 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-04-21 20:22 . 2007-10-22 07:39 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2010-04-21 20:22 . 2007-10-12 19:14 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2010-04-21 20:22 . 2007-10-12 19:14 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2010-04-21 20:22 . 2007-10-02 13:56 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2010-04-21 20:22 . 2007-07-20 04:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2010-04-21 20:22 . 2007-07-19 22:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2010-04-21 20:22 . 2007-07-19 22:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll
2010-04-21 17:14 . 2010-04-21 20:33 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\NOS
2010-04-19 00:15 . 2010-04-19 00:15 -------- d-----w- c:\program files\Flip Video
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\ImTOO
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\documents and settings\Erin\Application Data\ImTOO
2010-04-18 19:31 . 2010-04-18 19:32 -------- d-----w- c:\documents and settings\Erin\Application Data\Nero
2010-04-18 19:30 . 2010-04-18 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-04-18 17:46 . 2004-10-12 18:42 262144 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2010-04-18 17:46 . 2004-10-12 18:40 2255360 ----a-w- c:\windows\system32\libavcodec.dll
2010-04-18 17:46 . 2004-10-05 20:16 395776 ----a-w- c:\windows\system32\libmplayer.dll
2010-04-18 17:46 . 2004-10-04 05:50 112640 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2010-04-18 17:10 . 2010-04-18 17:46 -------- d-----w- c:\program files\Cucusoft
2010-04-18 17:10 . 2004-05-26 14:07 1153417 ----a-w- c:\windows\system32\cygwin1.dll
2010-04-18 17:10 . 2004-05-13 22:39 1208320 ----a-w- c:\windows\system32\cygxml2-2.dll
2010-04-18 17:10 . 2003-12-04 15:03 62464 ----a-w- c:\windows\system32\cygz.dll
2010-04-18 17:10 . 2003-08-11 08:59 980992 ----a-w- c:\windows\system32\cygiconv-2.dll
2010-04-18 16:54 . 2010-04-18 16:54 -------- d-----w- c:\documents and settings\Erin\Application Data\AnvSoft
2010-04-15 07:00 . 2010-04-15 07:00 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-04-14 11:40 . 2010-04-14 11:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-13 21:51 . 2010-04-13 21:51 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Search
2010-04-09 20:48 . 2010-04-09 20:48 3600384 ----a-w- c:\windows\system32\GPhotos.scr
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 12:35 . 2007-12-15 15:34 -------- d-----w- c:\program files\Google
2010-05-03 12:29 . 2008-09-24 20:28 5018 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-03 12:29 . 2008-09-24 20:28 248 --sh--r- c:\documents and settings\All Users\Application Data\E27CF4E0CB.sys
2010-05-03 00:22 . 2010-01-27 21:33 -------- d-----w- c:\program files\LimeWire
2010-05-03 00:00 . 2007-12-15 15:47 -------- d-----w- c:\program files\WinAce
2010-05-02 22:51 . 2007-12-15 13:09 105752 ----a-w- c:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 17:52 . 2008-04-14 15:23 -------- d-----w- c:\program files\Infogrames Interactive
2010-05-02 17:52 . 2007-12-15 13:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 15:37 . 2009-10-15 21:04 -------- d-----w- c:\program files\Orb Networks
2010-04-30 19:50 . 2008-09-16 19:48 -------- d-----w- c:\program files\SpywareGuard
2010-04-29 11:32 . 2009-01-16 20:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 04:01 . 2009-03-25 11:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2010-04-29 03:46 . 2007-12-25 14:23 -------- d-----w- c:\program files\Kids Cam Show and Share Creativity Center
2010-04-29 03:36 . 2008-01-01 21:19 -------- d-----w- c:\program files\Java
2010-04-21 23:56 . 2008-07-02 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-04-21 20:32 . 2008-08-13 19:21 -------- d-----w- c:\documents and settings\Erin\Application Data\Ulead Systems
2010-04-21 20:31 . 2008-08-13 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-04-21 20:31 . 2008-10-26 23:05 -------- d-----w- c:\program files\Corel
2010-04-21 20:30 . 2008-08-15 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-04-21 17:31 . 2009-07-26 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-21 17:14 . 2009-07-26 14:55 -------- d-----w- c:\program files\NOS
2010-04-15 07:04 . 2007-12-16 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-07 17:17 . 2008-09-15 12:22 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 12:45 . 2010-03-30 04:24 -------- d-----w- c:\program files\Windows Desktop Search
2010-03-30 04:32 . 2010-03-30 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-03-30 04:32 . 2010-03-30 04:32 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-30 04:24 . 2010-03-30 04:24 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Desktop Search
2010-03-30 03:57 . 2008-03-08 16:09 -------- d-----w- c:\program files\Dvd-cloner
2010-03-25 04:32 . 2008-03-05 10:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ThumbnailCache4R
2010-03-24 14:49 . 2010-02-11 02:20 -------- d-----w- c:\documents and settings\Erin\Application Data\Facebook
2010-03-18 20:33 . 2010-03-18 20:33 7750617 ----a-w- c:\documents and settings\All Users\SPL55.tmp
2010-03-11 21:39 . 2010-03-11 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 02:32 . 2010-03-09 02:32 -------- d-----w- c:\documents and settings\Erin\Application Data\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2010-03-09 02:32 . 2010-03-09 02:32 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-09 02:30 . 2010-03-08 19:41 -------- d-----w- c:\program files\MyPublisher
2010-03-08 19:29 . 2008-10-09 03:19 -------- d-----w- c:\program files\BookSmart
2010-03-08 12:41 . 2009-09-08 01:27 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-02-28 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-09-08 00:58 . 2009-09-08 00:58 13643 ----a-w- c:\program files\Common Files\yhiqi.ban
2008-09-15 20:46 . 2008-08-15 12:15 88 --sh--r- c:\windows\system32\E27CF4E0CB.sys
2008-09-15 20:46 . 2008-08-15 12:11 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2010-04-14 524944]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-04-14 105632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-22 455344]
"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]
"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" [2007-06-22 307888]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2008-03-13 128256]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-08 524632]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-21 113664]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 12:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdkcoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkwbgw.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\frun.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/25/2009 7:40 AM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/2/2008 12:44 PM 335240]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/8/2010 12:51 AM 380928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 5:16 PM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [6/14/2007 4:15 AM 99248]
S3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [2/13/2008 2:17 PM 618112]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-05-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {6BF35011-3AE5-44D3-A8BB-73ED462A0BC0} - hxxp://ezprints.mye-pix.com/software/ezuploader.cab
DPF: {B87A4DE2-57A3-41CA-8781-89D43EA6EEF4} - hxxp://videomessages.live.com/Portal/ClientBin/VCaptCtl.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
DPF: {D53A9247-2FEA-4E93-8EEE-9A9B07E8D760} - hxxp://www.ezprints.com/software/cropfit.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.
- - - - ORPHANS REMOVED - - - -
BHO-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll
Toolbar-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\IE\4.0.2\dealioToolbarIE.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-fadagohar - c:\windows\system32\kabifoti.dll
HKLM-Run-Corel File Shell Monitor - c:\program files\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
SharedTaskScheduler-{592b04eb-0fcc-44a0-847b-5a47513fd919} - c:\windows\system32\hedafatu.dll
SharedTaskScheduler-{c9cac425-2a87-4d7b-a4b8-66798831dd86} - c:\windows\system32\hedafatu.dll
SharedTaskScheduler-{610a94d8-9e65-4e3d-8412-ac72ea780a1e} - c:\windows\system32\hedafatu.dll
SharedTaskScheduler-{92ade6b1-c695-4db2-b6b2-caaa3e2237e1} - c:\windows\system32\hedafatu.dll
SharedTaskScheduler-{63431ed0-8fe0-4fd2-8913-5d13302864de} - c:\windows\system32\kabifoti.dll
SSODL-hugamunom-{592b04eb-0fcc-44a0-847b-5a47513fd919} - c:\windows\system32\hedafatu.dll
SSODL-gobavivoj-{c9cac425-2a87-4d7b-a4b8-66798831dd86} - c:\windows\system32\hedafatu.dll
SSODL-merojozus-{610a94d8-9e65-4e3d-8412-ac72ea780a1e} - c:\windows\system32\hedafatu.dll
SSODL-muwarakos-{92ade6b1-c695-4db2-b6b2-caaa3e2237e1} - c:\windows\system32\hedafatu.dll
SSODL-zamezakif-{63431ed0-8fe0-4fd2-8913-5d13302864de} - c:\windows\system32\kabifoti.dll
AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Ahead\nero\uninstall\UNNERO.exe
AddRemove-NeroVision!UninstallKey - c:\windows\UNNeroVision.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-Uninstall_is1 - c:\program files\Common Files\DVDVideoSoft\unins000.exe
AddRemove-WinAce Archiver - c:\program files\WinAce\SXUNINST.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 21:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1409082233-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1492)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdkcoms.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\Microsoft Office\Office12\ONENOTEM.EXE
.
**************************************************************************
.
Completion time: 2010-05-04 22:02:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-05 02:02
ComboFix2.txt 2009-01-31 15:21
ComboFix3.txt 2009-01-16 19:45
ComboFix4.txt 2009-01-16 18:07
ComboFix5.txt 2010-05-05 01:17
Pre-Run: 172,081,438,720 bytes free
Post-Run: 173,642,485,760 bytes free
- - End Of File - - B29A6EEC321CF5AD9658855E0BB2EF68
Register to Remove
#11
Posted 05 May 2010 - 05:18 PM
Thank you for the log. Before we continue, I would like to take a closer look at some files on your machine.
Please work your way through the following steps:
- Please run the following Command
- Click on "Start" and then on "Run".
- Copy and Paste the following command into the Run box:
cmd /c del /f/a/q "c:\windows\Tasks.\aurwolai.job"
- Click on "OK".
- Please make all files and folders VISIBLE:
- Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
- Choose to "Show hidden files and folders."
- Uncheck the "Hide protected operating system files" and the "Hide extensions for know file types" boxes.
- Close the window with "OK".
- Please scan the following files
- Please visit Virus Total by clicking here.
- Click the Browse button and search for the following file: c:\program files\Common Files\yhiqi.ban
- Click Open.
- Then click Send File.
- Please be patient while the file is scanned.
- If Virus Total tells you that the file has already been scanned, click "reanalyse now".
- Once the scan results appear, copy and paste them into Notepad and repeat the procedure for the following file(s):
c:\documents and settings\All Users\SPL55.tmp
- Please provide the results from the scans in your next reply.
Member of UNITE
Proud Graduate of the WTT Classroom
#12
Posted 05 May 2010 - 07:30 PM
#13
Posted 06 May 2010 - 11:34 AM
Thank you for the scan logs.
- Please work through the following steps
- Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
- NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
- Copy and Paste the text in the quotebox below into the open Notepad window:
File::
c:\program files\Common Files\yhiqi.ban
c:\documents and settings\All Users\SPL55.tmp
Folder::
c:\documents and settings\Erin\Application Data\Search Settings
c:\documents and settings\Erin\Application Data\Dealio
DirLook::
c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} - Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
- Close any open browsers.
- Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Refering to the picture below, drag CFScript.txt into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
- Once the log is produced, re-engage your resident anti virus.
- Clean out your temporary files
- Please download ATF Cleaner by Atribune by clicking here and save the file (called ATF-Cleaner.exe) to your desktop.
- Run the program by double clicking the ATF-Cleaner.exe icon located on your desktop.
- Check the boxes to the left of the following:
- Windows Temp
- Current User Temp
- All Users Temp
- Temporary Internet Files
- Java Cache
- The rest are optional. If you want to remove everything check the "Select All" box.
- Click on "Empty Selected" to begin cleaning.
- Once the "Done Cleaning" message appears, click OK.
- If you use Firefox, Click on the Firefox tab and repeat the above process.
- When you have finished cleaning, click on the "Exit" button in the main menu.
- Please perform the following scan:
- You have MalwareBytes AntiMalware installed.
- Double click on your MalwareBytes AntiMalware icon to launch the program.
- Click on the "Update" tab and then on "Check for Updates".
- The program will now install the latest Malware definition files.
- Once complete, click on the "Scanner" tab, select "Perform full scan"and then click on "Scan".
- Once the program has scanned your computer, a log file will be created in Notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
- When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
- The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
- Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
- Come back here to this thread and Paste the log in your next reply.
- Please perform the following scan:
- This is a very deep scan that can take many hours. In some instances you may need to let it run overnight. Please be patient.
- It is recommended that you disable your onboard antivirus program and antispyware programs while performing scans to eliminate software conflicts and to speed up scan time.
- DO NOT surf the net while your resident protection is disabled!
- Once the scan is finished remember to re-enable your resident antivirus protection along with whatever antispyware applications you use.
- Click on the Accept button and install any components it needs.
- The program will install and then begin downloading the latest definition files.
- After the files have been downloaded on the left side of the page in the Scan section select My Computer.
- This will start the program and scan your system.
- The scan will take a while, so be patient and let it run (at times it may appear to stall).
- Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
- Once the scan is complete, click on View scan report. To obtain the report:
- Click on: Save Report As
- Next, in the Save as prompt, Save in area, select: Desktop
- In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:Text file [*.txt]
- Then, click: Save
- Please post the Kaspersky Online Scanner Report in your reply.
- If you need help performing the above steps, an animated tutorial can be found here.
In your next reply please provide the ComboFix log, the MBAM log and the Kaspersky Online Scan log.
Also, please describe how your machine is behaving now. Are you still experiencing problems?
Member of UNITE
Proud Graduate of the WTT Classroom
#14
Posted 09 May 2010 - 03:26 AM
Member of UNITE
Proud Graduate of the WTT Classroom
#15
Posted 09 May 2010 - 08:32 AM
Thanks again.
ComboFix 10-05-05.0D - Erin 05/06/2010 16:58:00.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1319 [GMT -4:00]
Running from: c:\documents and settings\Erin\Desktop\ephillips.exe
Command switches used :: c:\documents and settings\Erin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\documents and settings\All Users\SPL55.tmp"
"c:\program files\Common Files\yhiqi.ban"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\SPL55.tmp
c:\documents and settings\Erin\Application Data\Dealio
c:\documents and settings\Erin\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Erin\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\documents and settings\Erin\Application Data\Search Settings
c:\documents and settings\Erin\Application Data\Search Settings\kb130\temp\ws-14731.log
c:\documents and settings\Erin\Application Data\Search Settings\kb130\temp\ws-14732.log
c:\documents and settings\Erin\Application Data\Search Settings\kb130\temp\ws-14733.log
c:\documents and settings\Erin\Application Data\Search Settings\kb130\temp\ws-14734.log
c:\program files\Common Files\yhiqi.ban
.
((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.
2010-05-05 01:48 . 2010-05-05 01:48 -------- d-----w- c:\windows\system32\Lang
2010-05-03 00:04 . 2010-05-03 00:04 15 ----a-w- c:\documents and settings\Erin\settings.dat
2010-05-02 22:41 . 2010-05-02 22:55 -------- d-----w- C:\v2d
2010-05-02 22:41 . 2010-05-02 22:58 -------- d-----w- c:\program files\Total Video2Dvd
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\program files\Application Updater
2010-05-02 22:16 . 2000-10-01 21:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2010-05-02 22:16 . 1999-03-25 21:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2010-05-02 22:16 . 1998-07-13 01:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2010-05-02 22:16 . 1998-07-13 01:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2010-05-02 22:16 . 1998-07-12 21:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2010-05-02 22:16 . 2010-05-02 22:16 -------- d-----w- c:\documents and settings\Erin\Application Data\FreeBurner
2010-05-02 19:25 . 2010-05-02 19:25 -------- d-----w- c:\program files\3ivx
2010-04-29 13:26 . 2010-04-29 13:27 -------- d-----w- c:\program files\ERUNT
2010-04-29 03:36 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 01:29 . 2003-01-26 17:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2010-04-21 20:54 . 2010-04-21 20:54 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\HandBrake
2010-04-21 20:54 . 2010-04-21 20:54 -------- d-----w- c:\documents and settings\Erin\Application Data\HandBrake
2010-04-21 20:54 . 2010-04-29 03:46 -------- d-----w- c:\program files\Handbrake
2010-04-21 20:32 . 2010-04-21 20:32 -------- d-----w- c:\windows\system32\windows media
2010-04-21 20:28 . 2010-04-21 20:28 -------- d-----w- c:\program files\Common Files\Protexis
2010-04-21 20:26 . 2010-04-21 20:56 -------- d-----w- c:\documents and settings\Erin\Application Data\Corel
2010-04-21 20:23 . 2010-04-21 20:27 -------- d-----w- c:\program files\Common Files\Corel
2010-04-21 20:22 . 2010-04-21 20:22 -------- d-----w- c:\program files\Windows Media Components
2010-04-21 20:22 . 2010-04-21 20:22 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-04-21 20:22 . 2007-10-22 07:39 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2010-04-21 20:22 . 2007-10-12 19:14 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2010-04-21 20:22 . 2007-10-12 19:14 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2010-04-21 20:22 . 2007-10-02 13:56 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2010-04-21 20:22 . 2007-07-20 04:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2010-04-21 20:22 . 2007-07-19 22:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2010-04-21 20:22 . 2007-07-19 22:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll
2010-04-21 17:14 . 2010-04-21 20:33 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\NOS
2010-04-19 00:15 . 2010-04-19 00:15 -------- d-----w- c:\program files\Flip Video
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\ImTOO
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\documents and settings\Erin\Application Data\ImTOO
2010-04-18 19:31 . 2010-04-18 19:32 -------- d-----w- c:\documents and settings\Erin\Application Data\Nero
2010-04-18 19:30 . 2010-04-18 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-04-18 17:46 . 2004-10-12 18:42 262144 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2010-04-18 17:46 . 2004-10-12 18:40 2255360 ----a-w- c:\windows\system32\libavcodec.dll
2010-04-18 17:46 . 2004-10-05 20:16 395776 ----a-w- c:\windows\system32\libmplayer.dll
2010-04-18 17:46 . 2004-10-04 05:50 112640 ----a-w- c:\windows\system32\libmpeg2_ff.dll
2010-04-18 17:10 . 2010-04-18 17:46 -------- d-----w- c:\program files\Cucusoft
2010-04-18 17:10 . 2004-05-26 14:07 1153417 ----a-w- c:\windows\system32\cygwin1.dll
2010-04-18 17:10 . 2004-05-13 22:39 1208320 ----a-w- c:\windows\system32\cygxml2-2.dll
2010-04-18 17:10 . 2003-12-04 15:03 62464 ----a-w- c:\windows\system32\cygz.dll
2010-04-18 17:10 . 2003-08-11 08:59 980992 ----a-w- c:\windows\system32\cygiconv-2.dll
2010-04-18 16:54 . 2010-04-18 16:54 -------- d-----w- c:\documents and settings\Erin\Application Data\AnvSoft
2010-04-15 07:00 . 2010-04-15 07:00 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-04-14 11:40 . 2010-04-14 11:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-13 21:51 . 2010-04-13 21:51 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Search
2010-04-09 20:48 . 2010-04-09 20:48 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-04-07 17:16 . 2010-04-07 17:16 503808 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7a15473b-n\msvcp71.dll
2010-04-07 17:16 . 2010-04-07 17:16 499712 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7a15473b-n\jmc.dll
2010-04-07 17:16 . 2010-04-07 17:16 348160 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7a15473b-n\msvcr71.dll
2010-04-07 17:16 . 2010-04-07 17:16 61440 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5a77ce07-n\decora-sse.dll
2010-04-07 17:16 . 2010-04-07 17:16 12800 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5a77ce07-n\decora-d3d.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 12:35 . 2007-12-15 15:34 -------- d-----w- c:\program files\Google
2010-05-03 12:29 . 2008-09-24 20:28 5018 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-03 12:29 . 2008-09-24 20:28 5018 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-05-03 12:29 . 2008-09-24 20:28 248 --sh--r- c:\documents and settings\All Users\Application Data\E27CF4E0CB.sys
2010-05-03 12:29 . 2008-09-24 20:28 248 --sh--r- c:\documents and settings\All Users\Application Data\E27CF4E0CB.sys
2010-05-03 00:22 . 2010-01-27 21:33 -------- d-----w- c:\program files\LimeWire
2010-05-03 00:00 . 2007-12-15 15:47 -------- d-----w- c:\program files\WinAce
2010-05-02 22:51 . 2007-12-15 13:09 105752 ----a-w- c:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 17:52 . 2008-04-14 15:23 -------- d-----w- c:\program files\Infogrames Interactive
2010-05-02 17:52 . 2007-12-15 13:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 15:37 . 2009-10-15 21:04 -------- d-----w- c:\program files\Orb Networks
2010-04-30 19:50 . 2008-09-16 19:48 -------- d-----w- c:\program files\SpywareGuard
2010-04-29 11:32 . 2009-01-16 20:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 04:01 . 2009-03-25 11:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2010-04-29 03:46 . 2007-12-25 14:23 -------- d-----w- c:\program files\Kids Cam Show and Share Creativity Center
2010-04-29 03:36 . 2008-01-01 21:19 -------- d-----w- c:\program files\Java
2010-04-21 23:56 . 2008-07-02 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-04-21 20:32 . 2008-08-13 19:21 -------- d-----w- c:\documents and settings\Erin\Application Data\Ulead Systems
2010-04-21 20:31 . 2008-08-13 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-04-21 20:31 . 2008-10-26 23:05 -------- d-----w- c:\program files\Corel
2010-04-21 20:30 . 2008-08-15 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-04-21 17:31 . 2009-07-26 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-21 17:14 . 2009-07-26 14:55 -------- d-----w- c:\program files\NOS
2010-04-15 07:04 . 2007-12-16 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-07 17:17 . 2008-09-15 12:22 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 12:45 . 2010-03-30 04:24 -------- d-----w- c:\program files\Windows Desktop Search
2010-03-30 04:32 . 2010-03-30 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-03-30 04:32 . 2010-03-30 04:32 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-30 04:24 . 2010-03-30 04:24 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Desktop Search
2010-03-30 03:57 . 2008-03-08 16:09 -------- d-----w- c:\program files\Dvd-cloner
2010-03-25 04:32 . 2008-03-05 10:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ThumbnailCache4R
2010-03-24 14:49 . 2010-02-11 02:20 50354 ----a-w- c:\documents and settings\Erin\Application Data\Facebook\uninstall.exe
2010-03-24 14:49 . 2010-03-24 14:49 2114184 ----a-w- c:\documents and settings\Erin\Application Data\Facebook\Install_Facebook_Plug-In_1.0.3.exe
2010-03-24 14:49 . 2010-02-11 02:20 -------- d-----w- c:\documents and settings\Erin\Application Data\Facebook
2010-03-11 21:39 . 2010-03-11 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 02:32 . 2010-03-09 02:32 -------- d-----w- c:\documents and settings\Erin\Application Data\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2010-03-09 02:32 . 2010-03-09 02:32 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-09 02:31 . 2010-03-09 02:32 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-09 02:31 . 2008-08-31 15:07 38784 ----a-w- c:\documents and settings\Erin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-09 02:30 . 2010-03-08 19:41 -------- d-----w- c:\program files\MyPublisher
2010-03-08 19:29 . 2008-10-09 03:19 -------- d-----w- c:\program files\BookSmart
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Erin\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-02-28 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2008-09-15 20:46 . 2008-08-15 12:15 88 --sh--r- c:\windows\system32\E27CF4E0CB.sys
2008-09-15 20:46 . 2008-08-15 12:11 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} ----
2009-03-25 11:36 . 2009-03-25 11:36 90 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\instance.dat
2009-03-25 11:36 . 2010-04-29 04:01 487 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.dat
2009-03-25 11:36 . 2009-03-25 11:36 9 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.lan
2009-03-25 11:36 . 2009-03-25 11:36 9318 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.par
2009-03-25 11:36 . 2009-03-12 08:17 5115615 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.res
2009-03-25 11:36 . 2009-03-12 08:17 578782 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\mia.lib
2009-03-25 11:36 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-03-25 11:36 . 2009-03-12 08:17 1802240 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.msi
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2010-04-14 524944]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-04-14 105632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-22 455344]
"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]
"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" [2007-06-22 307888]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2008-03-13 128256]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-08 524632]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-21 113664]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 12:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdkcoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkwbgw.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\frun.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/25/2009 7:40 AM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/2/2008 12:44 PM 335240]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/8/2010 12:51 AM 380928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 5:16 PM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [6/14/2007 4:15 AM 99248]
S3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [2/13/2008 2:17 PM 618112]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-05-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {6BF35011-3AE5-44D3-A8BB-73ED462A0BC0} - hxxp://ezprints.mye-pix.com/software/ezuploader.cab
DPF: {B87A4DE2-57A3-41CA-8781-89D43EA6EEF4} - hxxp://videomessages.live.com/Portal/ClientBin/VCaptCtl.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
DPF: {D53A9247-2FEA-4E93-8EEE-9A9B07E8D760} - hxxp://www.ezprints.com/software/cropfit.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 17:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1409082233-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-05-06 17:08:53
ComboFix-quarantined-files.txt 2010-05-06 21:08
ComboFix2.txt 2010-05-05 02:02
ComboFix3.txt 2009-01-31 15:21
ComboFix4.txt 2009-01-16 19:45
ComboFix5.txt 2010-05-06 20:57
Pre-Run: 173,457,506,304 bytes free
Post-Run: 173,519,728,640 bytes free
- - End Of File - - 1BE7B93382BAF22551E87176ECD5A671
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users