WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Problem with avgcsrvx.exe? [Solved]

Started by molongriff , Dec 08 2011 11:10 AM

This topic is locked

38 replies to this topic

#1 molongriff

Authentic Member

Authentic Member
40 posts

Posted 08 December 2011 - 11:10 AM

I had AVG (paid-for version) running on my computer when I got it from a friend. I have always suspected that AVG was slowing things up, and it also let some malware through, so I was thinking of replacing it once the subscription was due for renewal. Just over a week ago the computer suddenly slowed down so much that it was almost impossible to use it. On checking the task manager, I found that the CPU was running at almost 100% all the time. When I looked at the processes I found that avgcsrvx.exe seemed to be using most of the CPU. While disconnected from the internet I tried disabling various things in AVG without success. Having enabled everything again, I updated AVG, Malwarebytes and SuperAntispyware and ran the AVG scan for rootkits, and the quick scans with Malwarebytes and SuperAntispyware. None of these found anything. I didn't attempt the full scan with AVG because the speed was so slow that it would have taken forever.
Since I don't want to continue with AVG anyway, I disconnected from the internet and uninstalled AVG. The computer immediately returned to its normal speed and the problem appeared to be cured. However, before installing alternative antivirus software I would like to be as sure as possible that this problem wasn't caused by malware, whether new or still lurking on my computer since the previous problem. Can you plase tell me how I can do that? Meanwhile I am not, of course, connecting the computer to the internet. I have an alternative computer which I can use to access the internet. I would be very grateful for your advice.

DDS.txt

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Ian Petrie at 8:44:39.39 on 08/12/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.522 [GMT 0:00]
.
FW: ZoneAlarm Free Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Cobian Backup 10\cbService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Documents and Settings\Ian Petrie\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = file:///E:/Sarah/system/Bookmarks.html
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.18\AVG Secure Search_toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.18\AVG Secure Search_toolbar.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Cobian Backup 10 Interface] "c:\program files\cobian backup 10\cbInterface.exe" -service
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start [url="http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0ATgBWADIASABZAC0AMgBaAEMAVwBTAC0AQgBBAFkAVwBSAC0AQwBDAEwAWgBUAC0AVwBaAEgAVAAyAA"&"inst=NwA2AC0ANQAwADQAOAAxADUANQAzADgALQBYAE8AMwA2ACsAMQAtAFQAQgA5ACsAMgAtAFAATAArADkALQBOADEARAArADEALQBDAEkAQQA5ADAAKwAyAC0ARABEAFQAKwA1ADEANQAwADIALQBEAEQAOQAwACsAMQAtAFMAVAA5ADAAQQBQAFAAKwAxAC0AUAA5ADAATQAxADIAQwArADEALQBQADkAVQArADEALQBVADkANQArADEALQBUAEIAKwAxAC0AUAA5AFIAKwAxAC0AUAA5ADAAVABCACsAMgA"&"prod=92"&"ver=9.0.894"]http://www.avg.com/ww.special-uninstallati...uot;ver=9.0.894[/url]
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\ianpet~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\usb f5d7050\wireless utility\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\9.0.1\ViProtocol.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - c:\windows\system32\ieframe.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-9-28 15328]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-11-9 525840]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2010-10-30 67584]
R2 CobianBackup10;Cobian Backup 10;c:\program files\cobian backup 10\cbService.exe [2010-10-30 1125376]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-11-3 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-11-3 497280]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-9-28 220128]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\9.0.1\ToolbarUpdater.exe [2011-11-30 855904]
S3 cpuz132;cpuz132;\??\c:\docume~1\ianpet~1\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\ianpet~1\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
.
=============== Created Last 30 ================
.
2011-12-03 11:24:44 -------- d-----w- c:\docume~1\ianpet~1\applic~1\AVG Secure Search
2011-12-03 11:21:41 -------- d-----w- c:\windows\pss
2011-11-30 11:39:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Secure Search
2011-11-30 11:38:26 -------- d-----w- c:\program files\common files\AVG Secure Search
2011-11-30 11:38:00 -------- d-----w- c:\program files\AVG Secure Search
2011-11-12 11:23:24 -------- d-----w- c:\windows\Internet Logs
2011-11-12 11:22:16 -------- d-----w- c:\docume~1\ianpet~1\locals~1\applic~1\ZoneAlarm_Security
2011-11-12 11:22:11 -------- d-----w- c:\program files\ZoneAlarm_Security
2011-11-12 11:21:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\CheckPoint
2011-11-12 11:13:55 -------- d-----w- c:\docume~1\ianpet~1\locals~1\applic~1\Temp
.
==================== Find3M ====================
.
2011-11-16 21:30:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 05:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 02:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 8:46:15.15 ===============

Advertisements

Register to Remove

#2 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 08 December 2011 - 01:00 PM

Hi and Welcome!!

My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic button to the right of your topic title and then choosing the notification method ( Recommended: Inmediate Notification)
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:
These tools MUST be run from the executable (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.
----------

AVG is a resource hog and unfortunately so is Zone Alarm. I see that you still have entries in your logs that are related to AVG. Please download and run the tool found here to completely remove AVG.
----------

Please run a new scan with DDS and save both logs created.
----------

Please download aswMBR to your desktop.

Double click the aswMBR icon to run it.
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

Click the image to enlarge it
----------

In your next reply please post the new logs created by DDS and the log created by aswMBR.

#3 molongriff

Authentic Member

Authentic Member
40 posts

Posted 08 December 2011 - 05:24 PM

Hi Jeff

Many thanks for helping me. I am very grateful. My name is Sarah.

I ran the AVG removal tool. Then I re-ran DDS and finally ran aswMBR as instructed.

I noted that DDS specifically said I should zip and attach the file Attach.txt rather than post it, so I am doing this. I hope this is OK. If not, please say so and I will post it.

I noticed that there were some error messages when I ran the AVG removal tool, and that there are still some references to AVG in DDS.txt. Do I need to re-run the removal tool?

When running aswMBR I said no to downloading Avast as I wasn't connected to the internet. because I'm not happy about connecting to the internet when there is no antivirus on the computer. If you think I should have said yes and downloaded it, please let me know,

DDS.txt

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Ian Petrie at 22:44:56.76 on 08/12/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.588 [GMT 0:00]
.
FW: ZoneAlarm Free Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Cobian Backup 10\cbService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Documents and Settings\Ian Petrie\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = file:///E:/Sarah/system/Bookmarks.html
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.18\AVG Secure Search_toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.18\AVG Secure Search_toolbar.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Cobian Backup 10 Interface] "c:\program files\cobian backup 10\cbInterface.exe" -service
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start [url="http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0ATgBWADIASABZAC0AMgBaAEMAVwBTAC0AQgBBAFkAVwBSAC0AQwBDAEwAWgBUAC0AVwBaAEgAVAAyAA"&"inst=NwA2AC0ANQAwADQAOAAxADUANQAzADgALQBYAE8AMwA2ACsAMQAtAFQAQgA5ACsAMgAtAFAATAArADkALQBOADEARAArADEALQBDAEkAQQA5ADAAKwAyAC0ARABEAFQAKwA1ADEANQAwADIALQBEAEQAOQAwACsAMQAtAFMAVAA5ADAAQQBQAFAAKwAxAC0AUAA5ADAATQAxADIAQwArADEALQBQADkAVQArADEALQBVADkANQArADEALQBUAEIAKwAxAC0AUAA5AFIAKwAxAC0AUAA5ADAAVABCACsAMgA"&"prod=92"&"ver=9.0.894"]http://www.avg.com/ww.special-uninstallati...uot;ver=9.0.894[/url]
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\ianpet~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\usb f5d7050\wireless utility\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\9.0.1\ViProtocol.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - c:\windows\system32\ieframe.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-9-28 15328]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-11-9 525840]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2010-10-30 67584]
R2 CobianBackup10;Cobian Backup 10;c:\program files\cobian backup 10\cbService.exe [2010-10-30 1125376]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-11-3 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-11-3 497280]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-9-28 220128]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
S2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\9.0.1\toolbarupdater.exe --> c:\program files\common files\avg secure search\vtoolbarupdater\9.0.1\ToolbarUpdater.exe [?]
S3 cpuz132;cpuz132;\??\c:\docume~1\ianpet~1\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\ianpet~1\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
.
=============== Created Last 30 ================
.
2011-12-03 11:24:44 -------- d-----w- c:\docume~1\ianpet~1\applic~1\AVG Secure Search
2011-12-03 11:21:41 -------- d-----w- c:\windows\pss
2011-11-30 11:39:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Secure Search
2011-11-30 11:38:26 -------- d-----w- c:\program files\common files\AVG Secure Search
2011-11-30 11:38:00 -------- d-----w- c:\program files\AVG Secure Search
2011-11-12 11:23:24 -------- d-----w- c:\windows\Internet Logs
2011-11-12 11:22:16 -------- d-----w- c:\docume~1\ianpet~1\locals~1\applic~1\ZoneAlarm_Security
2011-11-12 11:22:11 -------- d-----w- c:\program files\ZoneAlarm_Security
2011-11-12 11:21:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\CheckPoint
2011-11-12 11:13:55 -------- d-----w- c:\docume~1\ianpet~1\locals~1\applic~1\Temp
.
==================== Find3M ====================
.
2011-11-16 21:30:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 05:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 02:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 22:46:31.40 ===============

aswMBR.txt

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-08 22:51:38
-----------------------------
22:51:38.312 OS Version: Windows 5.1.2600 Service Pack 3
22:51:38.312 Number of processors: 1 586 0x102
22:51:38.312 ComputerName: TINY UserName:
22:51:38.765 Initialize success
22:53:22.468 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
22:53:22.468 Disk 0 Vendor: Maxtor_6Y060L0 YAR41VW0 Size: 58644MB BusType: 3
22:53:22.484 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
22:53:22.484 Disk 1 Vendor: SAMSUNG_SV4002H QP100-07 Size: 38204MB BusType: 3
22:53:24.500 Disk 0 MBR read successfully
22:53:24.500 Disk 0 MBR scan
22:53:24.500 Disk 0 Windows XP default MBR code
22:53:24.500 Disk 0 scanning sectors +120085875
22:53:24.562 Disk 0 scanning C:\WINDOWS\system32\drivers
22:53:32.546 Service scanning
22:53:33.812 Modules scanning
22:53:41.875 Disk 0 trace - called modules:
22:53:41.890 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
22:53:41.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85f6eab8]
22:53:42.406 3 CLASSPNP.SYS[f770ffd7] -> nt!IofCallDriver -> \Device\00000061[0x85f91f18]
22:53:42.406 5 ACPI.sys[f7686620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x85f57940]
22:53:42.421 Scan finished successfully
22:54:01.937 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ian Petrie\Desktop\MBR.dat"
22:54:01.937 The log file has been saved successfully to "C:\Documents and Settings\Ian Petrie\Desktop\aswMBR.txt"

Attached Files

Attach.zip 3.42KB 279 downloads

#4 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 08 December 2011 - 09:13 PM

Hi Sarah,

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
----------

#5 molongriff

Authentic Member

Authentic Member
40 posts

Posted 09 December 2011 - 07:14 PM

Hi Jeff

Here is the result of the ComboFix scan as in the file ComboFix.txt:

ComboFix 11-12-09.03 - Ian Petrie 09/12/2011 23:56:48.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.453 [GMT 0:00]
Running from: c:\documents and settings\Ian Petrie\Desktop\ComboFix.exe
FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
c:\documents and settings\Ian Petrie\Application Data\1DE2.0E7
c:\documents and settings\Ian Petrie\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-11-10 to 2011-12-10 )))))))))))))))))))))))))))))))
.
.
2011-12-03 11:24 . 2011-12-03 11:24 -------- d-----w- c:\documents and settings\Ian Petrie\Application Data\AVG Secure Search
2011-11-30 11:39 . 2011-11-30 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Secure Search
2011-11-30 11:38 . 2011-11-30 11:39 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2011-11-30 11:38 . 2011-12-08 22:37 -------- d-----w- c:\program files\AVG Secure Search
2011-11-12 11:23 . 2011-12-09 23:51 -------- d-----w- c:\windows\Internet Logs
2011-11-12 11:22 . 2011-11-27 21:18 -------- d-----w- c:\documents and settings\Ian Petrie\Local Settings\Application Data\ZoneAlarm_Security
2011-11-12 11:22 . 2011-11-12 11:22 -------- d-----w- c:\program files\ZoneAlarm_Security
2011-11-12 11:21 . 2011-11-12 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\CheckPoint
2011-11-12 11:13 . 2011-11-12 11:13 -------- d-----w- c:\documents and settings\Ian Petrie\Local Settings\Application Data\Temp
2011-11-12 11:03 . 2011-11-12 11:03 -------- d-----w- c:\program files\Common Files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-16 21:30 . 2011-05-13 18:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2010-03-02 15:05 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 05:06 . 2011-01-05 10:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 02:37 . 2011-01-05 10:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41 . 2008-07-29 18:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 2006-02-28 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2006-02-28 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2011-05-09 09:49 176936 ----a-w- c:\program files\ZoneAlarm_Security\prxtbZone.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2011-11-30 11:38 1547104 ----a-w- c:\program files\AVG Secure Search\9.0.0.18\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\9.0.0.18\AVG Secure Search_toolbar.dll" [2011-11-30 1547104]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cobian Backup 10 Interface"="c:\program files\Cobian Backup 10\cbInterface.exe" [2010-07-13 3152384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-04-06 28672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-09 73360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start [url="http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0ATgBWADIASABZAC0AMgBaAEMAVwBTAC0AQgBBAFkAVwBSAC0AQwBDAEwAWgBUAC0AVwBaAEgAVAAyAA&inst=NwA2AC0ANQAwADQAOAAxADUANQAzADgALQBYAE8AMwA2ACsAMQAtAFQAQgA5ACsAMgAtAFAATAArADkALQBOADEARAArADEALQBDAEkAQQA5ADAAKwAyAC0ARABEAFQAKwA1ADEANQAwADIALQBEAEQAOQAwACsAMQAtAFMAVAA5ADAAQQBQAFAAKwAxAC0AUAA5ADAATQAxADIAQwArADEALQBQADkAVQArADEALQBVADkANQArADEALQBUAEIAKwAxAC0AUAA5AFIAKwAxAC0AUAA5ADAAVABCACsAMgA&prod=92&ver=9.0.894""]http://www.avg.com/ww.special-uninstallati...r=9.0.894"[/url] [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Ian Petrie\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-10-5 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2011-6-12 618496]
WinZip Quick Pick.lnk - c:\winzip\WZQKPICK.EXE [2010-4-27 118784]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\deepinvent\\MailStore Home\\MailStoreLocal.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [28/09/2010 14:03 15328]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [03/11/2011 14:44 27016]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-09 c:\windows\Tasks\User_Feed_Synchronization-{7B2F4308-BD68-4B29-B2F1-242F108A7EDE}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///E:/Sarah/system/Bookmarks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\9.0.1\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKLM-Run-NWEReboot - (no file)
HKLM-Run-vProt - c:\program files\AVG Secure Search\vprot.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-10 00:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(716)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2011-12-10 00:50:09
ComboFix-quarantined-files.txt 2011-12-10 00:49
.
Pre-Run: 24,720,302,080 bytes free
Post-Run: 25,384,353,792 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 09E9A7B1DE09AE2E0323306099228207

#6 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 09 December 2011 - 09:31 PM

Hi Sarah,

Lets go ahead and get an antivirus on your system. I would recommend either of these but be sure to only choose one:
Microsoft Security Essentials
Avast
------------

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

DDS::
	 uStart Page = file:///E:/Sarah/system/Bookmarks.html
	 mURLSearchHooks: H - No File
	 BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
	 BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.18\AVG Secure Search_toolbar.dll
	 
	 Folder::
	 c:\docume~1\ianpet~1\applic~1\AVG Secure Search
	 c:\docume~1\alluse~1\applic~1\AVG Secure Search
	 c:\program files\common files\AVG Secure Search
	 c:\program files\AVG Secure Search

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

#7 molongriff

Authentic Member

Authentic Member
40 posts

Posted 10 December 2011 - 05:10 PM

Hi Jeff

I hav installed Avast! and I then disabled it to run ComboFix, which I ran by dragging CFScript.txt into it.

When it started running, it told me there was a newer version of ComboFix available and gave me the option to download it, but I said "no" as I was afraid it might upset the running of it when I had dragged CFScript into it.

Also I had to reboot again after it had finished, as some of the icons in the system tray had disappeared, and they reappeared when I had rebooted.

Here is the ComboFix log:

ComboFix 11-12-09.03 - Ian Petrie 10/12/2011 22:16:13.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.565 [GMT 0:00]
Running from: c:\documents and settings\Ian Petrie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ian Petrie\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\alluse~1\applic~1\AVG Secure Search
c:\docume~1\ianpet~1\applic~1\AVG Secure Search
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\272512937d9e61a4.fb
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\272512937d9e61a4__exp__1323640990
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\28bc8f716fd76a47.fb
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\28bc8f716fd76a47__exp__1323640989
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\590ba23ce359fd0c.fb
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\590ba23ce359fd0c__exp__1323640990
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\651c5d3cdbfb8bd1.fb
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\651c5d3cdbfb8bd1__exp__1323640990
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\6c59ac5e7e7a3ad0.fb
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\6c59ac5e7e7a3ad0__exp__1323640990
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\ad10a52aff5e038d.fb
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\ad10a52aff5e038d__exp__1323640989
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\c4d28dca2e7648be.fb
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\c4d28dca2e7648be__exp__1323640990
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\c82ef8e0e6b692c0.fb
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\c82ef8e0e6b692c0__exp__1323640989
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\d201ef9910cd39de.fb
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\d201ef9910cd39de__exp__1323640990
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\e0de16f883bea794.fb
c:\docume~1\ianpet~1\applic~1\AVG Secure Search\cache\e0de16f883bea794__exp__1323640990
c:\program files\AVG Secure Search
c:\program files\AVG Secure Search\9.0.0.18\AVG Secure Search_toolbar.dll
c:\program files\AVG Secure Search\about.gif
c:\program files\AVG Secure Search\avguidx.dll
c:\program files\AVG Secure Search\calc.gif
c:\program files\AVG Secure Search\CleanHistory.gif
c:\program files\AVG Secure Search\configuration.xml
c:\program files\AVG Secure Search\current.gif
c:\program files\AVG Secure Search\Facebook.gif
c:\program files\AVG Secure Search\favicon.ico
c:\program files\AVG Secure Search\feedback.gif
c:\program files\AVG Secure Search\help.gif
c:\program files\AVG Secure Search\icon18.gif
c:\program files\AVG Secure Search\iGearedHelper.dll
c:\program files\AVG Secure Search\labs.gif
c:\program files\AVG Secure Search\lip.exe
c:\program files\AVG Secure Search\MigrationTool.exe
c:\program files\AVG Secure Search\note.gif
c:\program files\AVG Secure Search\PageStatus.gif
c:\program files\AVG Secure Search\PostInstall.exe
c:\program files\AVG Secure Search\radio\bg.gif
c:\program files\AVG Secure Search\radio\play.gif
c:\program files\AVG Secure Search\radio\play_hover.gif
c:\program files\AVG Secure Search\radio\radio.html
c:\program files\AVG Secure Search\radio\radio.js
c:\program files\AVG Secure Search\radio\stations.xml
c:\program files\AVG Secure Search\radio\stop.gif
c:\program files\AVG Secure Search\radio\stop_hover.gif
c:\program files\AVG Secure Search\radio\v_minus.gif
c:\program files\AVG Secure Search\radio\v_minus_1.gif
c:\program files\AVG Secure Search\radio\v_plus.gif
c:\program files\AVG Secure Search\radio\v_plus_1.gif
c:\program files\AVG Secure Search\radio\vol_line_emp.gif
c:\program files\AVG Secure Search\radio\vol_line_full.gif
c:\program files\AVG Secure Search\radio\vol_line_half.gif
c:\program files\AVG Secure Search\remote_configuration.xml
c:\program files\AVG Secure Search\search.gif
c:\program files\AVG Secure Search\SecuredSearch.gif
c:\program files\AVG Secure Search\setup.bmp
c:\program files\AVG Secure Search\toolbar.zip
c:\program files\AVG Secure Search\Uninstall.exe
c:\program files\AVG Secure Search\weather.gif
c:\program files\AVG Secure Search\windows.gif
c:\program files\common files\AVG Secure Search
c:\program files\common files\AVG Secure Search\CommonInstaller\9.0.1\CommonInstaller.exe
c:\program files\common files\AVG Secure Search\InstalledProducts.ini
c:\program files\common files\AVG Secure Search\ScriptHelperInstaller\9.0.1\ScriptHelper.exe
c:\program files\common files\AVG Secure Search\ToolBandTlb\9.0.1\toolband
c:\program files\common files\AVG Secure Search\ViProtocolInstaller\9.0.1\ViProtocol.dll
c:\program files\common files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe.to_delete
c:\program files\common files\AVG Secure Search\vToolbarUpdater\9.0.1\UpdaterConfig.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_vToolbarUpdater
-------\Service_vToolbarUpdater
.
.
((((((((((((((((((((((((( Files Created from 2011-11-10 to 2011-12-10 )))))))))))))))))))))))))))))))
.
.
2011-12-10 21:50 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-12-10 21:50 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-12-10 21:50 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-12-10 21:50 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-12-10 21:50 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-12-10 21:50 . 2011-11-28 17:52 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-12-10 21:50 . 2011-11-28 17:51 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-12-10 21:50 . 2011-11-28 17:48 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-12-10 21:49 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2011-12-10 21:49 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-12-10 21:49 . 2011-12-10 21:49 -------- d-----w- c:\program files\AVAST Software
2011-12-10 21:49 . 2011-12-10 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-11-12 11:23 . 2011-12-09 23:51 -------- d-----w- c:\windows\Internet Logs
2011-11-12 11:22 . 2011-12-10 22:01 -------- d-----w- c:\documents and settings\Ian Petrie\Local Settings\Application Data\ZoneAlarm_Security
2011-11-12 11:22 . 2011-12-10 22:01 -------- d-----w- c:\program files\ZoneAlarm_Security
2011-11-12 11:21 . 2011-11-12 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\CheckPoint
2011-11-12 11:13 . 2011-11-12 11:13 -------- d-----w- c:\documents and settings\Ian Petrie\Local Settings\Application Data\Temp
2011-11-12 11:03 . 2011-11-12 11:03 -------- d-----w- c:\program files\Common Files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-16 21:30 . 2011-05-13 18:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2010-03-02 15:05 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 05:06 . 2011-01-05 10:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 02:37 . 2011-01-05 10:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41 . 2008-07-29 18:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 2006-02-28 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2006-02-28 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-10_00.45.44 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-11 23:02 . 2009-07-11 23:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 00:05 . 2009-07-12 00:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2009-07-12 00:05 . 2009-07-12 00:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2011-12-10 22:36 . 2011-12-10 22:36 16384 c:\windows\Temp\Perflib_Perfdata_590.dat
- 2009-07-11 23:02 . 2009-07-11 23:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-12 00:05 . 2009-07-12 00:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZon0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2011-05-09 09:49 176936 ----a-w- c:\program files\ZoneAlarm_Security\prxtbZon0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZon0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\prxtbZon0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cobian Backup 10 Interface"="c:\program files\Cobian Backup 10\cbInterface.exe" [2010-07-13 3152384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-04-06 28672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-09 73360]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start [url="http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0ATgBWADIASABZAC0AMgBaAEMAVwBTAC0AQgBBAFkAVwBSAC0AQwBDAEwAWgBUAC0AVwBaAEgAVAAyAA&inst=NwA2AC0ANQAwADQAOAAxADUANQAzADgALQBYAE8AMwA2ACsAMQAtAFQAQgA5ACsAMgAtAFAATAArADkALQBOADEARAArADEALQBDAEkAQQA5ADAAKwAyAC0ARABEAFQAKwA1ADEANQAwADIALQBEAEQAOQAwACsAMQAtAFMAVAA5ADAAQQBQAFAAKwAxAC0AUAA5ADAATQAxADIAQwArADEALQBQADkAVQArADEALQBVADkANQArADEALQBUAEIAKwAxAC0AUAA5AFIAKwAxAC0AUAA5ADAAVABCACsAMgA&prod=92&ver=9.0.894""]http://www.avg.com/ww.special-uninstallati...r=9.0.894"[/url] [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Ian Petrie\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-10-5 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2011-6-12 618496]
WinZip Quick Pick.lnk - c:\winzip\WZQKPICK.EXE [2010-4-27 118784]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\deepinvent\\MailStore Home\\MailStoreLocal.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [28/09/2010 14:03 15328]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [10/12/2011 21:50 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/12/2011 21:50 314456]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/12/2011 21:50 20568]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [30/10/2010 19:07 67584]
R2 CobianBackup10;Cobian Backup 10;c:\program files\Cobian Backup 10\cbService.exe [30/10/2010 19:07 1125376]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [03/11/2011 14:44 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [03/11/2011 14:44 497280]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [28/09/2010 14:02 220128]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWSNX
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-10 c:\windows\Tasks\User_Feed_Synchronization-{7B2F4308-BD68-4B29-B2F1-242F108A7EDE}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} -
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-10 22:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(868)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(924)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(2592)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2011-12-10 22:47:55 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-10 22:47
ComboFix2.txt 2011-12-10 00:50
.
Pre-Run: 25,082,400,768 bytes free
Post-Run: 24,992,239,616 bytes free
.
- - End Of File - - 11B4332A946439707C5AC1D88B684206

#8 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 10 December 2011 - 08:31 PM

Hi Sarah,

All of the things you noted are normal.

I would like for you to delete your copy of ComboFix from your desktop and then download a fresh copy we will use later.
---------------

I see that you have Malwarebytes on your system. Please open Malwarebytes, update it and then run a Quick Scan. Please save the log that is created for your next reply.
----------

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the Start button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the Back button.
Push Finish

http://www.eset.com/onlinescan/
----------

In your next reply please post the logs made by Malwarebytes and ESET online scanner.

#9 molongriff

Authentic Member

Authentic Member
40 posts

Posted 11 December 2011 - 09:43 AM

Hi Jeff I have deleted ComboFix and downloaded it again from the link you gave me before. I have run a quick scan with Malwarebytes. See scan log below. I disabled Avast! and ran the ESET online scanner.While running, it warned me that "another antivirus was detected" and this was ZoneAlarm. I didn't know how to disable ZoneAlarm, or if I should have done this or not, so I just continued with the scan. The ESET scan appeared to find 1 threat. The log is posted below the Malwarebytes one. This file was the installation .exe file for an upgrade to software I downloaded off the web ages ago and hadn't actually installed on this computer. Just to check, I went to the folder where it was and there were 2 versions of the installation file. The other one (unlocker1.8.5.exe) must have been OK. However, as soon as I had opened the folder, Avast! (which I had re-enabled after running the scan) immediately told me it had blocked "unlocker1.8.6.exe" (the file reported by ESET) to prevent me from opening it, and it disappeared from the folder. I suppose that's full marks to Avast! (and no marks to AVG which never found it, unless, of course, it was a false hit) This file is probably also on 2 external hard drives which I use for backups. How should I proceed with these? Should I just run Avast! over the folder containing the file on each of them and then delete the folder (which I don't need)? Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org Database version: 8351 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 11/12/2011 09:00:25 mbam-log-2011-12-11 (09-00-25).txt Scan type: Quick scan Objects scanned: 157802 Time elapsed: 11 minute(s), 22 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ESET log: E:\Sarah\software\unlocker\unlocker1.8.6.exe Win32/Adware.ADON application

#10 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 11 December 2011 - 12:02 PM

Hi Sarah,

This file is probably also on 2 external hard drives which I use for backups. How should I proceed with these?

Sure...you could run Avast over those two external harddrives. It never hurts to do that.

-----------

That finding by Avast is not a false positive. It really is something that should go.
-----------

You have an older version of Adobe Reader. You can download the current version HERE

You may want to consider Foxit Reader instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum

In either case you should uninstall Adobe Reader 7.0.8 first. Be sure to move any PDF documents to another folder first though.
----------

Please download JavaRa to your desktop and unzip it to its own
folder

Run JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista), pick the language of your choice and click Select. Then
click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista) again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest
Java Runtime Environment (JRE) version for your computer.

----------

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
```
File::
E:\Sarah\software\unlocker\unlocker1.8.6.exe
```
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

Advertisements

Register to Remove

#11 molongriff

Authentic Member

Authentic Member
40 posts

Posted 11 December 2011 - 03:08 PM

Hi Jeff I haven't done all that yet as I thought I should get rid of that "unlocker" file from the external hard disks first. In so doing, I hit another problem. With the first hard disk attached, I scanned just the "unlocker" folders with Avast! (I had it backed up 3 times on that drive) and it found the 3 files. and moved them to quarantine. Avazt! then recommended that I should do a Boot Time scan so I thought I should do this. After about 3/4 hour it came up with a message about an infection and asked me what I wanted it to do. It seemed to be in a folder called "Quarantine" so I thought it might be something that was already quarantined. It gave me a whole lot of choices (delete / move to chest / repair / ignore) and I wasn't sure which to pick,, so I selected ESC. I thought the scan had already ended, but it seems I just aborted it. As it had been at 1%, I think it might have taken the best part of a week to run the whole scan, especially if it stopped at each of several infections. The Avast! scan log was as follows: 12/11/2011 19:43 Scan of all local drives File C:\Qoobox\Quarantine\C\Documents and Settings\Ian Petrie\Application Data\1DE2.0E7.vir is infected by INI:Cycbot-gen [Trj] Scanning aborted Number of searched folders: 3679 Number of tested files: 370912 Number of infected files: 1

#12 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 11 December 2011 - 03:20 PM

Hi,

Lets not worry about the external hard drives yet until we get your system cleaned up. Do Not delete Qoobox! It is part of ComboFix.
We will worry about the external hard drives later.

------

For now lets just work on updating Adobe, Java and running the fix with ComboFix.

#13 molongriff

Authentic Member

Authentic Member
40 posts

Posted 11 December 2011 - 03:46 PM

Thanks, Jeff. I'll follow what you say. It's night here now and I have to work tomorrow, so it may be nearly 24 hours before I can get this done. Sarah

#14 jeffce

Malware Guy

Authentic Member
8,693 posts

Posted 11 December 2011 - 05:46 PM

#15 molongriff

Authentic Member

Authentic Member
40 posts

Posted 12 December 2011 - 05:24 PM

Hi Jeff

I uninstalled Adobe Reader 7.0.8 but I was unable to install the newer version. I seemed to have a problem with the computer running very slowly again, and it looked as if IE was causing the CPU to run at 100%. Downloading Adobe Reader was taking forever, so I left out that bit and went ahead with the rest. I'll have another go at it later, or look into Foxit Reader. The computer seems to be running better now.

I used JavaRa to uninstall Java and then reinstalled it as instructed. I hope I got that right.

Finally I ran Combofix by dragging the new file into it. Once again it gave me the option to get a newer version, but I didn't want to disrupt it when it was already running with the new file, so I said "no" to this.

Here is the log:

ComboFix 11-12-10.01 - Ian Petrie 12/12/2011 22:23:16.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.492 [GMT 0:00]
Running from: c:\documents and settings\Ian Petrie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ian Petrie\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
FILE ::
"e:\sarah\software\unlocker\unlocker1.8.6.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-11-12 to 2011-12-12 )))))))))))))))))))))))))))))))
.
.
2011-12-12 22:02 . 2011-12-12 22:02 -------- d-----w- c:\program files\Common Files\Java
2011-12-12 22:01 . 2011-12-12 22:01 -------- d-----w- c:\program files\Oracle
2011-12-12 22:01 . 2011-12-12 22:01 -------- d-----w- c:\documents and settings\Ian Petrie\Application Data\Oracle
2011-12-12 22:00 . 2011-12-12 21:59 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
2011-12-12 21:07 . 2011-12-12 21:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-12-12 21:03 . 2011-12-12 21:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-12-12 21:02 . 2011-12-12 21:21 -------- d-----w- c:\documents and settings\Ian Petrie\Local Settings\Application Data\Google
2011-12-12 21:02 . 2011-12-12 21:03 -------- d-----w- c:\program files\Google
2011-12-11 11:04 . 2011-12-11 11:04 -------- d-----w- c:\program files\ESET
2011-12-10 21:50 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-12-10 21:50 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-12-10 21:50 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-12-10 21:50 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-12-10 21:50 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-12-10 21:50 . 2011-11-28 17:52 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-12-10 21:50 . 2011-11-28 17:51 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-12-10 21:50 . 2011-11-28 17:48 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-12-10 21:49 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2011-12-10 21:49 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-12-10 21:49 . 2011-12-10 21:49 -------- d-----w- c:\program files\AVAST Software
2011-12-10 21:49 . 2011-12-10 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-16 21:30 . 2011-05-13 18:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-08 19:56 . 2011-01-05 10:02 141312 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-08 19:56 . 2011-01-05 10:02 567184 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-10 14:22 . 2010-03-02 15:05 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41 . 2008-07-29 18:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 2006-02-28 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2006-02-28 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-10_00.45.44 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-11 23:02 . 2009-07-11 23:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 00:05 . 2009-07-12 00:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 00:05 . 2009-07-12 00:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2011-12-12 22:00 . 2011-12-12 22:00 16384 c:\windows\Temp\Perflib_Perfdata_578.dat
+ 2011-12-12 21:11 . 2011-12-12 21:11 22016 c:\windows\Installer\1213a2.msi
+ 2011-12-12 21:03 . 2011-12-12 21:03 24064 c:\windows\Installer\12139b.msi
- 2009-07-11 23:02 . 2009-07-11 23:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-12 00:05 . 2009-07-12 00:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2011-12-12 22:00 . 2011-11-08 19:56 223112 c:\windows\system32\javaws.exe
+ 2011-12-12 22:00 . 2011-12-12 21:59 173960 c:\windows\system32\javaw.exe
+ 2011-12-12 22:00 . 2011-12-12 21:59 173960 c:\windows\system32\java.exe
+ 2011-12-12 22:02 . 2011-12-12 22:02 176128 c:\windows\Installer\45b0de.msi
+ 2011-12-12 22:01 . 2011-12-12 22:01 101376 c:\windows\Installer\45b0cc.msi
+ 2011-12-12 21:59 . 2011-12-12 21:59 938496 c:\windows\Installer\45b0c8.msi
- 2009-07-11 23:02 . 2009-07-11 23:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 00:02 . 2009-07-12 00:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZon0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2011-05-09 09:49 176936 ----a-w- c:\program files\ZoneAlarm_Security\prxtbZon0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZon0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\prxtbZon0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cobian Backup 10 Interface"="c:\program files\Cobian Backup 10\cbInterface.exe" [2010-07-13 3152384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-04-06 28672]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-09 73360]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start [url="http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0ATgBWADIASABZAC0AMgBaAEMAVwBTAC0AQgBBAFkAVwBSAC0AQwBDAEwAWgBUAC0AVwBaAEgAVAAyAA&inst=NwA2AC0ANQAwADQAOAAxADUANQAzADgALQBYAE8AMwA2ACsAMQAtAFQAQgA5ACsAMgAtAFAATAArADkALQBOADEARAArADEALQBDAEkAQQA5ADAAKwAyAC0ARABEAFQAKwA1ADEANQAwADIALQBEAEQAOQAwACsAMQAtAFMAVAA5ADAAQQBQAFAAKwAxAC0AUAA5ADAATQAxADIAQwArADEALQBQADkAVQArADEALQBVADkANQArADEALQBUAEIAKwAxAC0AUAA5AFIAKwAxAC0AUAA5ADAAVABCACsAMgA&prod=92&ver=9.0.894""]http://www.avg.com/ww.special-uninstallati...r=9.0.894"[/url] [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Ian Petrie\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-10-5 113664]
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2011-6-12 618496]
WinZip Quick Pick.lnk - c:\winzip\WZQKPICK.EXE [2010-4-27 118784]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\deepinvent\\MailStore Home\\MailStoreLocal.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [28/09/2010 14:03 15328]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [10/12/2011 21:50 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/12/2011 21:50 314456]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/12/2011 21:50 20568]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [03/11/2011 14:44 27016]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GUPDATE
*NewlyCreated* - GUSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-12 21:02]
.
2011-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-12 21:02]
.
2011-12-12 c:\windows\Tasks\User_Feed_Synchronization-{7B2F4308-BD68-4B29-B2F1-242F108A7EDE}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-12 22:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(868)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(924)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2011-12-12 23:00:29
ComboFix-quarantined-files.txt 2011-12-12 23:00
ComboFix2.txt 2011-12-10 22:48
ComboFix3.txt 2011-12-10 00:50
.
Pre-Run: 24,566,702,080 bytes free
Post-Run: 24,605,863,936 bytes free
.
- - End Of File - - 5EE6F2DF293D9684902C3614F5EC54F6

Body Background

skin color theme